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Foreword 



About Cryptology 

It is now widely perceived that we are experiencing an information revolution 
whose effects will ultimately be as pervasive and profound as was brought 
by the industrial revolution of the last century. From the beginning of time, 
information has been an important asset for humans. In the early days of 
human existence, the mere knowledge of where to most easily gather food was 
the difference between life and death. Throughout history, information has 
provided the means for winning wars, making fortunes, and shaping history. 
The underlying theme of the information revolution is that we continue to 
find new ways to use information. These new uses for information serve to 
highlight our need to protect different aspects of information. 

Cryptology may be broadly defined as the scientific study of adversarial 
information protection. Cryptology has traditionally dealt with the confi- 
dentiality of information, but innovation in using information produces new 
requirements for protection of that information. Some are longstanding and 
fundamental - how do we guarantee that information is ” authentic” ? How do 
we guarantee that information is timely? How can we produce bits that have 
the same properties as ’’money”? Each of these questions has been grappled 
with in the cryptologic research community. 



History of the lACR 

Cryptography has a long and illustrious history, but relatively little pub- 
lished scientific literature existed prior to the mid 1970s, when public key 
cryptography was discovered and interest was sparked in the scientific study 
of information protection. The early 1980’s saw a number of conferences on 
the subject of cryptography, including the first conference held in Santa Bar- 
bara in 1981, organized by Alan Gersho of UCSB. This was followed in 1982 
by the CRYPTO ’82 conference. A report on this conference was published 
by David Kahn in Cryptologia the following year: 

“At the initiative of David Chaum the organizer of CRYPTO 
’82, some attendees met the last day to begin organizing what they 
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tentatively called an International Association for Cryptologic Re- 
search. Its main functions would be (1) to coordinate meetings on 
cryptology as to time, place and program and in some cases to run 
them, and (2) to publish a bulletin to give notice of conferences and 
of cryptologic sessions other conferences. Members of the organizing 
committee are Chaum; Henry J. Beker of RACAL-Comsec Ltd. in 
Salisbury, England; Whitfield Diffie of BNR in Palo Alto, Califor- 
nia; Robert R. Jueneman of Satellite Business Systems in McLean, 
Virginia; Ernest F. Brickell of Sandia National Laboratories in Al- 
buquerque, New Mexico; Stephen Kent of Bolt, Beranek & Newman 
in Cambridge, Massachusetts; and David Kahn of Great Neck, New 
York, an editor of Cryptologia.” 

CRYPTO ’83 then became the first conference officially sponsored by lACR. 
From these early beginnings, lACR has grown to be a scientific organization 
with over a thousand members worldwide, representing over 65 countries. 
lACR now sponsors two conferences each year, called CRYPTO and EURO- 
CRYPT. CRYPTO is held each year in August at the University of California 
in Santa Barbara, USA. EUROCRYPT is held each spring in a different loca- 
tion in Europe. lACR will also begin sponsorship of the Asiacrypt conference 
in 2000. 



Proceedings of CRYPTO and EUROCRYPT 

The work published here includes the proceedings of all conferences that have 
been organized by the International Association for Cryptologic Research 
since 1983. In addition, material from a few other conferences that spawned 
lACR is included: 

— proceedings of CRYPTO ’81. These were first published as a technical 
report by the University of California, Santa Barbara, and have had only 
very limited circulation prior to this volume. In addition, it was previously 
published in SIGACT News in 1983. 

— proceedings of the 1982 predecessor to EUROCRYPT. The lACR was in 
the process of being formed at that time, but there was already an intent 
among many of the organizers for this to be the first in a series of Eu- 
ropean conferences on cryptology organized by lACR. The ’82 conference 
was not originally called EUROCRYPT, but is now generally referred to 
as EUROCRYPT ’82. 

— proceedings of CRYPTO ’82 and ’83. These were originally published by 
Plenum Publishing. As of the time of this writing (mid-1998), the proceed- 
ings of CRYPTO ’83 are no longer available in print. 

— abstracts from EUROCRYPT ’86. This volume was only distributed to 
conference attendees. 
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EUROCRYPT ’86 and CRYPTO ’81 had no formal proceedings, and the 
material included here consists mostly of abstracts. In fact, over time it is 
possible to detect a noticeable change in the tone of papers in all of these 
volumes, from early publication of “Extended Abstracts” to more carefully 
refereed high quality papers. 

The proceedings of both CRYPTO and EUROCRYPT have been pub- 
lished by Springer- Verlag since 1984 in the series ’’Lecture Notes in Computer 
Science”. Prior to 1994, authors submitted abstracts that were distributed 
to attendees at the conference, and these abstracts were then refined and 
published as a formal proceedings at a later date, (an exception was made 
at EUROCRYPT ’86). Beginning with CRYPTO ’94, proceedings of EURO- 
CRYPT and CRYPTO have been available at the conference. 



The Evolution of Cryptology Research 

The work published here represents the majority of the important research 
work that has been published by the open cryptologic research community 
during the last fifteen years. In spite of the great work that has been done, 
there are still huge gaps in our knowledge of information protection. I hope 
that the republication of these proceedings will stimulate further research in 
the field and I thank Springer- Verlag for supporting the initiative to produce 
them. 

Looking at how the field has evolved over the years, there are some no- 
ticeable trends. The ones that are most noticeable to this author are the 
following: 



Complexity-based reasoning on security 

The first mention that I am aware of involving reasoning about security 
based on what an adversary could compute appeared in Shannon’s seminal 
paper of 1948. Once Diffie and Heilman published their paper on public key 
cryptography, we were presented with concrete constructions that led to a 
huge body of work on complexity-based reasoning on security. In recent years 
some of the work in complexity-based security has incorporated some of the 
original ideas of Shannon on information-theoretic security. In spite of the 
considerable progress that has been made, I would argue that the field is 
still not closed, because some of the assumptions we are required to make in 
order to prove reasonable security are still questionable. Moreover, computing 
is fundamentally about resource management, and in spite of Moore’s law, 
there continue to be increasing demands for processing speed, storage, and 
communication. The constructions that we have today may have considerable 
room for improvement, both in their security and their practicality. 
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Environmental Attacks and Protocols 

I use the term “environmental attacks” to include things such as fault analy- 
sis, timing attacks, and power analysis. Each of these has been demonstrated 
to pose a serious hazard in real world applications, and also serves to high- 
light several defects in our abstract modeling of security. First is the fact 
that our models of computers fail to take into account all aspects of their 
physical instantiation. Looking at a computer as a “black box” provides an 
elegant abstraction, but in practice the box exists in three dimensional space, 
manipulates energy, and produces ancillary outputs. Future models of com- 
puters and security may emerge to describe these phenomena. The second 
deficiency in our understanding has to do with the fact that true security re- 
quires analysis of protocols instead of serial algorithms. If we include parallel 
and distributed algorithms, then the difference between a protocol and an 
algorithm is that an algorithm may involve multiple parties, but a protocol 
always does. When reasoning about security, there are always at least two 
parties: the adversary and the participant. Any analysis that fails to address 
the capabilities of an adversary to affect the outputs is doomed to failure. 

Linear and Differential Cryptanalysis 

Linear and Differential cryptanalysis have emerged as the most effective gen- 
eral techniques available for attacking practical ciphers. At the same time, 
progress has been made in designing ciphers that are resistant to these at- 
tacks. 

New Applications 

Cryptology is no longer restricted to the study of only encryption and con- 
fidentiality. As new uses of information emerge, they bring with them new 
requirements for information. As a result, we have seen discussion of crypto- 
graphic constructions for electronic cash, timestamping, program checking, 
intellectual property protection, etc. Each of these applications raises whole 
new areas for investigation. 

It is ironic that the publication of this CDROM itself raises interesting 
and serious issues in the protection of information, since the information age 
is changing the very foundation of what it means to ’’publish”. Some have 
argued that electronic publishing raises serious concerns about the mechanism 
for archiving scientific work for the ages. Others have argued that the role of 
traditional publishers is threatened by the information age. Some publishers 
are concerned that their ability to make a living is threatened by electronic 
distribution of information, since bits are easily copied and the meaning of 
traditional copyrights are evolving. Nevertheless, Springer- Verlag has taken 
the lead in developing technologies that offer new capabilities for the use of 
information. 
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Some Statistics 

I close this section with some statistics and trivia about the body of literature. 
This collection contains 1285 individual papers, by a total of 854 authors. In 
what follows, we use a shorthand notation for references. For example, a 
reference of the form c90-323 refers to a paper in CRYPTO ’90 starting on 
page 323, and e91-14 refers to a paper in EUROCRYPT ’91 starting on page 
14. 

Most Authors on a Single Paper 

The following papers have the most co-authors. 

10 authors c83-171, Davio, M., Desmedt, Y., Fosseprez, M., Govaerts, R., 
Hulsbosch, J., Neutjens, P., Piret, P., Quisquater, J. J., Vandewalle, J. 
and Wouters, P., Analytical characteristics of the DES 
7 authors c88-37, Ben-Or, M., Goldreich, O., Goldwasser, S., Hastad, J., Kil- 
ian, J., Micali, S. and Rogaway, P., Everything provable is provable in 
zero-knowledge 

7 authors c91-44. Bird, R., Copal, L, Herzberg, A., Janson, P., Kutten, S., 
Molva, R. and Yung, M., Systematic design of two-party authentication 
protocols 

7 authors e92-194, Desmedt, Y., Landrock, P., Lenstra, A. K., McCurley, K. 
S., Odlyzko, A. M., Rueppel, R. A. and Smid, M. E., The Eurocrypt ’92 
Controversial Issue: Trapdoor Primes and Moduli 
6 authors e89-267, Vandewalle, J., Chaum, D., Fumy, W., Jansen, C. J. A., 
Landrock, P. and Roelofsen, G., A European call for cryptographic algo- 
rithms: RIPE; Race Integrity Primitives Evaluation 
6 authors e91-547, Preneel, B., Chaum, D., Fumy, W., Jansen, C. J. A., 
Landrock, P. and Roelofsen, G., Race Integrity Primitives Evaluation 
6 authors c92-471, Blundo, C., De Santis, A., Herzberg, A., Kutten, S., Vac- 
caro, U. and Yung, M., Perfectly-secure key distribution for dynamic 
conferences 

5 authors c96-329, Hughes, R. J., Luther, G. G., Morgan, G. L., Peterson, C. 
G. and Simmons, C., Quantum Cryptography over Underground Optical 
Fibers 

5 authors c81-154, Diffie, W., Klein, M., Dertouzos, M. L., Gleason, A. and 
Smith, D., Panel Discussion: National Security and Commercial Security: 
Division of Responsibility 

5 authors c84-144, Davio, M., Desmedt, Y., Goubert, J., Hoornaert, F. and 
Quisquater, J. J., Efficient hardware and software implementations for 
the DES 

5 authors e85-43, Vandewalle, J., Govaerts, R., De Becker, W., Decroos, M. 
and Speybrouck, G., Implementation study of public key cryptography 
protection in an existing electronic mail and document handling system. 
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5 authors c85-3, Estes, D., Adleman, L. M., Kompella, K., McCurley, K. S. 
and Miller, G. L., Breaking the Ong-Schnorr-Shamir signature scheme 
for quadratic number fields 

5 authors c86-277, Orton, G. A., Roy, M. P., Scott, P. A., Peppard, L. E. and 
Tavares, S. E., VLSI implementation of public-key encryption algorithms 
5 authors c88-297, Abadi, M., Allender, E., Broder, A., Feigenbaum, J. and 
Hemachandra, L. A., On generating solved instances of computational 
problems 

5 authors e89-294, Ghaum, D., den Boer, B., van Heyst, E., Mjoelsnes, S. F. 

and Steenbeek, A., Efficient offline electronic checks (extended abstract) 
5 authors e90-161, Preneel, B., Van Leekwijck, W., Van Linden, L., Govaerts, 
R. and Vandewalle, J., Propagation characteristics of Boolean functions 
5 authors e90-253, Bennett, G. H., Bessette, F., Brassard, G., Salvail, L. and 
Smolin, J., Experimental quantum cryptography 
5 authors e90-465, Guillou, L. G., Quisquater, J. J., Walker, M., Landrock, 
P. and Shaer, G., Precautions taken against various potential attacks in 
ISO/IEG DIS 9796 

5 authors e92-356, Biehl, L, Buchmann, J. A., Meyer, B., Thiel, G. and Thiel, 
G., Tools for proving zero knowledge 

5 authors c92-215, Dwork, G., Feige, U., Kilian, J., Naor, M. and Safra, M., 
Low communication 2-prover zero-knowledge proofs for NP 
5 authors e93-126, Kurosawa, K., Okada, K., Sakano, K., Ogata, W. and 
Tsujii, S., Nonperfect secret sharing schemes and matroids 
5 authors e94-433, Gharnes, G., O’Gonnor, L., Pieprzyk, J., Safavi-Naini, R. 

and Zheng, Y., Gomments on Soviet encryption algorithm 
5 authors c94-150, Blundo, G., De Santis, A., Di Grescenzo, G., Gaggia, A. 
Giorgio and Vaccaro, U., Multi-secret sharing schemes 

Most Papers by a Single Author 

The following authors have the most papers published in the series: 

Ghaum, D. (38) c81-138, c82-199, c83-153, c83-387, c84-432, c84-481, e85- 
241, C85-18, C85-192, c86-49, c86-118, c86-195, c86-200, e87-127, e87-227, 
C87-87, C87-156, c87-462, e88-177, c88-319, e89-267, e89-288, e89-294, c89- 
212, C89-591, e90-458, c90-189, c90-206, e91-96, e91-257, e91-547, e91-554, 
C91-470, e92-390, c92-l, c92-89, e93-344, e94-86 
Desmedt, Y. (34) c83-171, e84-62, e84-142, c84-144, c84-147, c84-359, c85- 
42, C85-516, C85-537, e86-17, c86-lll, c86-459, c87-21, c87-120, e88-23, 
e88-183, C88-375, e89-75, e89-122, c89-6, c89-307, e90-l, e90-ll, c90-169, 
C90-177, e91-81, e91-205, c91-457, e92-25, e92-194, c92-549, e94-275, e95- 
147, e96-107 

Yung, M. (30) C84-439, c85-128, c87-40, c87-135, e89-3, e89-192, e89-196, 
e90-412, C90-94, c90-177, c90-366, e91-205, c91-44, c92-196, c92-442, c92- 
471, e93-267, e94-67, c95-222, c95-287, c95-339, e96-72, c96-89, c96-186, 
e97-62, e97-280, e97-450, c97-31, c97-264, c97-440 




XIII 



Damgard, I. B. (27) e87-203, c87-87, c87-156, c87-462, e88-I67, c88-163, c88- 
328, C88-580, c88-583, c89-17, c89-4I6, c90-189, c91-445, e92-341, e92-461, 
C92-358, e93-200, e93-286, c93-I00, c93-250, e94-140, c94-174, c95-297, 
C95-325, e96-372, c96-173, e97-75 

Goldreich, O. (26) c82-205, c82-3I5, c83-43, c83-I33, c83-383, e84-127, e84- 
387, C84-276, c84-303, c85-58, c85-448, c86-104, c86-I71, c86-426, c87-73, 
C88-37, C88-57, c88-146, c89-113, c89-263, c92-390, c94-2I6, c95-325, c97- 
46, C97-105, C97-112 

Shamir, A. (25) c81-l, c82-279, c84-37, c84-47, e85-31, c85-58, c85-280, c86- 
186, C87-398, c88-244, c88-284, c89-526, c89-606, c90-2, c90-353, c90-394, 
e91-l, C91-156, c91-213, c92-487, c93-l, e94-l, e94-445, e97-52, c97-513 
Quisquater, J. J. (23) e82-283, c83-171, e84-62, c84-144, c84-359, c85-537, 
e86-17, C86-111, c87-203, c87-223, c87-255, e88-I23, c88-2I6, e89-I02, e89- 
429, e89-662, c89-253, c89-408, c89-628, e90-465, c90-502, c94-83, c95-57 
Okamoto, T. (22) c88-232, e89-134, c89-481, e90-446, c90-456, e91-96, e91- 
243, e91-446, c9I-252, c91-267, c91-324, e92-324, e92-420, c92-31, c92-54, 
e93-461, e94-306, c94-6I, c95-325, c95-438, c97-I6, c97-3I 
Brickell, E. F. (22) c82-15, c82-51, c82-289, c83-25, c83-39, c84-342, c85-28, 
e86-21, c86-3, e87-117, c87-156, c87-418, e88-51, e88-275, c88-564, e89- 
403, e89-468, c89-278, c89-368, e90-63, c90-242, e92-200 
Micali, S. (21) C82-211, c84-276, c86-171, c86-381, c87-52, c88-37, c88-173, 
C88-200, C88-244, c88-256, c88-269, c89-263, c89-545, c89-547, c90-253, 
C91-392, C92-113, c93-456, e95-168, c95-185, c96-201 
Simmons, G. J. (21) c81-31, c81-79, c82-289, c83-51, e84-183, e84-364, c84- 
411, e85-261, c85-33, e86-16, c86-9, e87-151, c87-211, c87-269, e88-35, 
C88-390, e89-436, e90-266, c90-216, e93-218, e93-448 
Brassard, G. (20) c81-54, c82-79, c82-267, c84-475, c85-468, c86-223, c86- 
234, C86-443, c87-461, c88-580, e89-16, e89-181, e89-192, e90-253, c90-49, 
C90-94, C91-351, e93-410, e97-334, c97-337 
Maurer, U. M. (19) e87-237, e89-636, c89-100, e90-361, c90-409, e91-458, 
e91-498, C91-252, e92-239, e92-429, e92-458, c92-461, e94-266, c94-75, 
C94-271, C96-268, e97-209, c97-292, c97-307 
Grepeau, G. (19) c85-73, c86-223, c86-234, c86-239, c86-443, c87-350, c87- 
462, c88-2, e89-150, e89-181, e89-192, c90-49, e91-106, c91-351, c93-319, 
e95-133, C95-110, e97-306, e97-334 

Schnorr, G. P. (18) e82-325, e82-331, c83-117, e84-113, c84-37, e88-225, c88- 
173, e89-688, c89-239, e90-432, e91-54, e91-281, e92-45, e92-408, e94-47, 
e95-l, C96-143, e97-267 

Bellare, M. (17) c88-200, c89-194, c89-547, c89-604, c92-390, c92-442, c93- 
232, e94-92, c94-216, c94-341, c95-15, e96-399, c96-l, e97-163, e97-280, 
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Preface 



One of the challenges of embracing the information age is to enhance and 
carry forward the enormous amount of information that is archived in paper 
format. In this collection we have collected together the 14692 pages of in- 
formation from the 32 volumes of conference proceedings of CRYPTO and 
EUROCRYPT. In addition, we have derived textual information that can be 
used to index and search this archive. 

Compressing this much information onto a single CDROM required sig- 
nificant effort, but it was felt that this would enhance the usability of the 
collection with current technology. As a rough estimate we might assume 
that one printed volume of cryptology proceedings contains in the average 
about 460 pages. If we assume that a volume of 460 pages is 3.5 centimeters 
thick, one has to store 1.12 meters of paper proceedings. Suppose one page of 
a proceedings volume contains in the average 380 words or, including punc- 
tuation, 2500 characters (e.g. one page of volume 963 of LNCS contains 482 
words or 3200 characters in the average whereas volume 196 contains only 253 
words or 1710 characters per page). In this case we have to store 5.582.960 
words or 36.730.000 characters or in computer terms about 40 megabytes if 
we store it as ASCII text. 

Unfortunately, producing such text is nearly impossible, and we have cho- 
sen to provide information in the form of PDF files containing images. This 
is dictated by the content of the volumes, which are predominantly text, but 
are also mathematical in nature, containing many formulas and mathematical 
expressions. Over the years the fonts and typefaces changed from typewriter 
styles to DVI files, and particularly the quality of some early printed source 
documents is rather poor (especially the proceedings of CRYPTO 81 and 
EUROCRYPT 86) . These factors contribute to a very high error rate for op- 
tical character recognition (OCR). Since mathematical content is of no value 
if the accuracy is compromised, we chose to deliver an electronic product that 
is as faithful as possible to the original material. 

Given that a CDROM has a capacity of approximately 650 MB, this 
implies that the size of one proceedings page should not be much larger than 
about 40 KB, in order to leave room for a Keyword Index, an Author Index, 
the Table of Contents and a search engine for efficient and convenient retrieval 
of the documents. 
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By experimentation we learned that 400 dpi is a resolution where the 
OCR software could be trained to produce reasonable results. One page, 
scanned with a resolution of 400 dpi, has an average size of 140 KB when 
stored as 4636x3232 resolution TIF file. The TIF files served as the basis for 
the OCR process, because we need the text versions to produce indices. Once 
the TIF images were produced, we used an automatic process to crop white 
space from the borders, and transformed into PDF files using some of the 
software in the IBM database of US Patents. We experimented a great deal 
with different settings to balance the space requirement against the quality 
of the result. The final process took several days of processing on a personal 
computer. 

Creating a search engine for OCR scanned text is a challenge in itself, 
from both an algorithmic and software point of view. We experimented with 
various approaches to this, and Kevin McCurley finally decided to write a 
Java applet for incorporation into the CDROM. This has several advantages: 

— it is integrated into the browsing process of HTML and PDF documents, 

— it offers portability across many different platforms, which is particularly 
important for a scientific audience accustomed to Unix workstations. 

Unfortunately Java is still rather slow, consumes substantial memory, and 
has not yet reached full maturity as a programming language. As a result, 
we expect that some users may have trouble using the Applet, but perhaps 
this situation will improve with time. 

From an algorithmic point of view, the problem of searching OCR data 
for keywords is the dual problem of spell checking - in the case of spell check- 
ing you assume the dictionary is correct, and compare a possibly incorrect 
word against the dictionary. In the case of searching OCR data, you assume 
the errors are in the dictionary (unless these can be removed by reference 
to a dictionary appropriate to the context), and look for occurences of the 
(presumably correct) search words in your approximate data. A great deal 
of work has been done in this field in the last few years, but we decided to 
adopt a simple approach for the applet. The method used by the applet is 
simply to check each string that is an edit distance of at most one from the 
target string, and see whether it appears in the text. For this purpose we use 
a hash table to locate all references to a given string. Note that if this method 
would not scale well to allow an edit distance of two, since the complexity of 
the algorithm is exponential in the maximal edit distance d. 

In addition, we encountered further questions concerning quality control: 

— How can corrupted or irregularly cropped pages be detected sytematically 
without having to go through all 14692 images by hand? 

— How can completeness be ensured? 

— How can be ensured that no contribution and no author were missed for 
the automatically produced Table of Contents and the Author Index? 
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We are satisfied that our process properly addressed the third point, but 
the first two remain a concern. When working with the CDROM you will 
certainly find errors, rough patches, and deficiencies. We invite you to tell us 
about them and send us suggestions for improvements. Any further informa- 
tion that we can provide to enhance the usability of this CD will be placed 
at the lACR web site (http://www.iacr.org/cd/). 

The process of creating this work has been a collaboration between several 
people. We would like to particularly thank Andy Clark, Alfred Hofmann, 
Thomas Berson, Whitfield Diffie, Joan Feigenbaum, Bart Preneel, Tom Grif- 
fin, Jason Zien, Sridhar Rajagopalan, and our student workers. Although a 
curious series of accidents during this project delayed the publication, we are 
quite satisfied that the result will be of use to the research community. 



Claus Dieter Ziegler 
Kevin S. McCurley 
September 1998 
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Advances in Cryptography 



Preface 



This report contains information provided by the 
authors about the papers presented at CRYPTO 81. In some 
oases only abstracts were availahle, in a few cases 
essentially complete papers have been included, and in 
most cases an extended aostract or summary is provided. 
The Table of Contents gives the complete program with the 
original titles. In a few papers, the authors have pro- 
vided closely related material with different titles. 

This report is more an afterthought than a 
proceedings. The success of the workshop motivated con- 
siderable interest in making available some form of 
record of the event. The report was prepared for the 
participants of the workshop and for the use of the Na- 
tional Science Foundation whose support was of tremendous 
value by providing travel funds for several participants 
who would not otherwise have been able to attend. 



Allen Gersho, Editor 
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Prefatce 



Thb book contains the proceedings of a wtK-kshop on cryptography that took place 
from March agth to April and , 1982 , at Burg Fcocrstcin in the lovely surroundii^s 
the FrSnkische Schweiz near Erlangen. 

Burg Feuerstein is an extensive estate rim by the diocese of Bamberg. It serves 
many purposes , mainly of social character. 

Ow workshop on cryptography , however , proved to be In the best traditions of 
these grounds , since the ' Burg' is not a genuine castle s it was built in the early 
1940's as a camouflaged center for communications engineering emphasizing crypto- 
graphic researdt . The unintended coincidence gives a good opportunity to note the 
charges that cryptographic researdi has under^jmi since then. One of the most 
remarkable was the fact that there were 76 participants from 14 nations. 

This volume contains 26 articles altogether. The introtkiction is an expository 
survey for non-spedaiists and places in context the other 2$ papers sulmiitted. These 
are grouped into to sections within which they are arranged with regard to content, 
TTie editor has refrained judiciously from judgii^ the significance or consistency of all 
the results. Together with id rather extensive ( doihly linked ) bibliography the book 
could be used as a self-contained text. At the back of the book are a list of 
participants as well as a list of the talks for which no paper was submitted. 

The organizer is indebted to the Deutsche Forschungs - Gemeinichaft and to the 
Gesellschaft fUr Informatik for supporting Che ccxnference. 

Tte advice given by H.J.Beker (Racal-Comsec, Salisbury) , by H.-R. Schudimaon 
(Siemens-Forschungslabotatorien^Unchen} , and by N.J.A, ^oane {Bell Laboratories, 
Murray Hill ) were of substantial help. 

Finally it is a pleasure to thank R.Dierstein (DFVLR Oberpfaffenhofen) for his ex- 
perienced aid in organizing the workshop. 



T.B. 
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Preface 



Jn the opening senience of iheir seminal 1976 paper, DifRe and Heilman 
proclaimed: “We stand today on the brink of a revolution in cryptography.”* Six 
years later, we find ourselves in the midst of this revolution, surrounded by an 
explosion of developments in cryptology. 

Cryptology is the art of making and breaking codes and ciphers. More 
generally, cryptology provides techniques for transmitting information in a private, 
authenticated, and tamper-proof manner. Cryptolt^y was once the exclusive 
domain of mathematicians, governments, and military forces. But as computer 
and communications technologies advance, and as we move toward an electronically 
interconnected axiety, more and more people now depend on computer mail, 
electronic business transactions, and computer data banks. Cryptology has become a 
vital concern of numerous businesses and individuals. Fortunately, the availability of 
small, fet, and inexpensive computers has made encryption feasible and economical 
for many applications. 

Organized in response to the growing interest in cryptology, CRYPTO 81 was 
the first major open conference ever devoted to technical cryptologic research.^ 
Its successor. CRYPTO 82. was the largest conference of its kind. Held Augusa 
23-25, 1982, CRYPTO 82 attracted over 100 participants, including many leading 
researchers from all over the world. CRYPTO 82 took place at the Univeraty 
of California at Santa Barbara and was held with the cooperation of the IEEE 
Communications Society, the IEEE Information Theory Group, and the Department 
of Computer Science at U. C. Santa Barbara.® Compiled as the official record of 



‘Whitfield Diffie and Martin E. Heilman. “New Directions in Cryptography,” IEEE Transactions 
on Information Theory. lT-22 (November 1976). 644. 

*Held August 24-26. 1981. CRYPTO 81 took place at the University of Califoraia at Santa 
Barbara. !t was sponsored by the IEF.EI Data and Computer Communications Committees and was 
aipponed in part by the National Science Foundation. The CRYPTO 81 proccedinj^ are available 
as a technical rcpwt: Allen Cersho. cd„ "Advances in Cryptology; A Report on CRYPTO 81,” 
IRl'E Report no. 82-04. Deparunem of Electrical and Computer l^gincering, U. C. Santa Barbara, 
Santa Barbara. California 93106. 

^Additional details about the conference can be found in; David Kahn, “The CRYPTO 82 
Conference. Santa Barbara; A Repmt on a Conference,” Crypiologia, 7 (January 1983X 1-5. 
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This volume contains 34 papere that were presented at CRYPTO 82, as well 
as a paper by Donald W. Davies from CRYPTO 81 that did not appear in the 
CRYPrO 81 proceedings. Most of these papers appear here in print for the first 
time. As a unique record of t!ie current state of crvptologic research, Advances in 
Ciyptology: Proceedings of CRYPTO S2 is an invaluable source of infottnation for 
anyone intrigued by the recent developments in cryptology. Advances in Cryptology 
is also well suited for use as a supplementary textbook in a course in cryptology. 

Reflecting the structure of the conference, the proceedings are arranged in 
six sections. The first five ‘actions contain the main papeis of the conference, 
oiganized roughly according to the following themes; algorithms and theory, modts 
of operation, protocols and transaction security, applications, and cryptanalyst- The 
sixth section contains abstracts describing results presented at the informal "Rump 
Session." 

Each paper in the five main sections was selected by the program committee 
from brief abstracts submitted in response to a call for papers. The final papers were 
not formally refereed, and the authors retain full responsibility for the contents of 
their papers. Several of the papers are preliminary reports of continuing research. 

Section I, “Algorithms and Tlieory,” focuses on spa:ific cryptographic algorithms 
used to encipher messages and on theoretical foundations for the design of secure 
algorithms. Many of the papers in this section have a number-theoretic flavor. 

Section 11. “Modes of Operation," explores two major topics; the security of 
the Data Encryption Standard (DES) and the use of randomization to increase the 
fficurity of cryptographic algorithms. For example, papers by Donald W. Davi«! and 
Robert J. Jueneman investigate the ^curity of DES when used in output feedback 
mode. IThe underlying theme of this section is that the security provided by a 
cryptographic algorithm is determined in part by the way the algorithm is u^d. 

Section 111, “Protocols and Transaction Security," studies how protocols can be 
used tt) atnduct various business transactions electronically. In particular, prouxxils 
are discussed for signing checks, making untraceable payments, and enabling two 
mutually suspicious parties to sign a contract simultaneously. Methcxls for proving 
the correctness of such protocols are also examined in detail. 

Section IV, “Applications,” treats the key management aspects of a number of 
cryptographic applications, such as protecting personal data cards, controlling access 
to local networks, and implementing an electronic notary public. This section also 
includes a paper by Charles Bennett et al suggesting that quantum mechanics, rather 
than computational complexity, can form the foundation for certain cryptographic 
schemes. 

Section V, “Cryptanalysis,” investigates weaknesses of knapsack ciphers. In what 
is perhaps the mc«t significant unclassified cryptologic paper of the year, Adi Shamir 
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Preface 



An international community of researchers is now flourishing in flie area of 
cryptology- tile te was none half-a-dozen years ago. The intrinsic fascination of 
the field certainly is part of tiie explanation. Another factor may be that many 
sense the importance and potential consequences of this work, as we move into 
flie information age. I believe that the various meetings devoted to cryptology 
cft’cr the past few years have contributed quite sipiificantly to the formation of this 
community, by allowing those in the field to get to know each other and by 
providing for rapid exchange of ideas. 

CRYPTO 83 was onas again teuly the cryptologic event of the year. Many of 
the most active participants continue to attend each year, and attendance 
continues to pow at a healthy rate. The informal and collegial atmosphere and 
fte beach side setting which contribute to the popularity of the event were again 
supported by flawless weather. The absence of parallel sessions seemed to 
provide a welcome opportunity to keep abreast of developments in the various 
areas of activity. 

Each session of the meeting orpmized by the program committee is repre- 
sented by a section in the present volunre. The papers were accepted by the 
propam committee based on abstracts, and appear here without having been 
otherwise refereed. The last section contaiis papers presented at tiie informal 
lump session. A keyword inckx and an author index to the papers is provided at 
ftie end of the volume. 

At CRYPTO 82 1 proposed the formation of an International Association for 
Qyptologic Research to orpuiize meetings ami keep its members informed of 
events in the field. The assoc iatitm has taken the form of a non-profit corporation 
^ch held its first business meeting at CRYPTO 83. The attendees elected 
efficers, a newsletter editor was selected, and plans vrere laid for EUROCRYFT 
84 in Paris mid CRYPTO 84 in Santa Barbara. 

Many thanks are due the authws for tiieir timely submission of papers, and to 
Ron Rivest and Alan Sherman Fot all their work in setting up the proceedings of 

CRYPTO 82. 



Santa Barbara, California 
January 1984 



D.C. 
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PREFACE 



This book contains the proceedings of EUROCRYPT 84, 
held in Paris in 1984, April 9-11, at the University of Paris, 
Sorbonne. 

EUROCRYPT is novf an annual international European 
meeting in cryptology, intended primarily for the international 
community of researchers in this area. EUROCRYPT 84 was 
following previous meetings held at Burg Feuerstein in 1982 
and at Udine in 1983. In fact EUROCRYPT 84 was the first 
such meeting being organized under lACR (International 
Association of Cryptology Research) . Other sponsors were 
the well-known French association on cybernetics research 
called AFCET, the LITP (Laboratoire d' Informatique thSorique 
et de Programmation) , which is a laboratory of computer 
science associated with CNRS, and the department of mathematics 
and computer science at the University RenS Descartes, Sorbonne. 

EUROCRYPT 84 was very successful!, with about 180 
participants from a great variety of foreign countries and 
close to 50 papers addressing all aspects of cryptology, 
applied as well as theoretical. It also had a special feature, 
i.e. a special session on smart cards particularly welcome 
at the time, since France was then carrying on an ambitious 
program on smart cards . 

EUROCRYPT 84 was a great experience. We like to thank 
all the sponsors and all the authors for their submission 
of papers. 

Pecamhc/i 1984. 



COT 
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Preface 
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It is our pleasure to thank all those who contributed to maldag these proceedings possible; 
the audiors, program committee, other organizers of the meeting lACR cAcers and durectms, 
and ail the attendees. 

CoBrge Storio*^ Texas G.R.B. 

Amsterdam, the Netherlasuis t>.C, 

March I9SS 
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Preface 

The storage, routing and transmission of information, either in the form of digital 
data or of analog signals, plays a central role in modern society. To ensure that 
such information is protected from access by unauthorized persons is an 
important new challenge. The development of the theory and practical 
techniques needed to meet this challenge is the goal of current cryptological 
research. This research is highly varied and multidisciplinary. It is concerned with 
fundamental problems in mathematics and theoretical computer science as well 
as with the engineering aspects of complex information systems. Cryptology 
today ranks among the most active and interesting areas of research in both 
science and engineering. 

EUROCRYPT '85 maintained the tradition of the three previous workshops in this 
series (Paris 1984, Udine 1983, Burg Feuerstein 1982) with its emphasis on recent 
developments in cryptology, but also made a concerted effort to encompass more 
traditional topics in cryptology such as shift-register theory and system theory. 
The many papers on these topics in this volume are witness to the success of this 
effort. 



I am grateful to the speakers and to the authors of the papers in this volume for 
their contributions to EUROCRYPT '85, and to the Program Committee headed by 
Professor Thomas Beth, University of London, now University of Karlsruhe, for its 
labors in putting together a provocative and interesting program. My thanks go 
also to all the sponsors of EUROCRYPT '85, with a special "Dankeschon" to the 
International Association for Cryptologic Research for its indispensable support. I 
hope that this volume, with its cross-section of current research in cryptology, will 
extend the reach of EUROCRYPT '85 and be a stimulation to its readers of their 
own research in cryptology. 

Franz Pichler 
Chairman 
EUROCRYPT '85 
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Thomas B«th, Program Chairman 
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Having sarved as Program Chairman for EUROCRYPT 85. held ait Uni (Austria) J 
#iink ^is is a suitable place to compare my a posteriori impressiom of this 4m 
European Meeting on Cryptography with the a priori expectations, most of which 
• with some modifications of course - made me initially organise the first of these 
meetings at Burg Feuerstein. 

As the field of cryptography is by nature an interdisciplinary one it has proved to 
be a successful policy to arrange th«e meetings around a skeleton of survey 
lectures. This is a fruitful tradition, from which everyone - users and designers, 
practitioners and theoreticians, speakers and participants have gained largely. 

To make a skeleton walk, however, one needs a fait more than a strong backbone. 

In these past few years we have witnessed some breakthroughs in cryptography, 
especially in the field of analysis, e.g. breaking the Merkie-Hellman*Scheme, 
towards which Ingemarson and Shamir took to# first steps at Burg Feuerstein 
leading to the final general method presented by Brickell at Uni. 

Other improvements, e.g. in the guc^ion of diso'ete logarithms by Blake, Mullin, 
Vanstone, Coppersmith and Odiyiko were equally impressive. 

The regular appearance of many other 'crypto schemes' and their immediate 
analysis shows, however, that we are still rather far away from a general theory. 
Even if we consider this problem optimisticallY, in my view it is clear that such a 
general theory would have to incorporate results on 

- Complexity 

- Protocols 

- General Systems 

which I count amongst the most diffiojit fields of research at present. 

From researdi in complexity we urgently need results on lower bounds whiito 
would be toe basis for an approach to a general theory of data security. The need 
for such a development has become especially obvious in the area of dew^loping 
sequential ciphers. After the last tow years successful vvork on designing PN< 
generators of large linear equivalent, it has now become apparent toat other 
evaluation princimes have to be applied. While toe work fay Yao, Blum, Micali and 
Goidwasser has shown theoretical instances as to how to proceed, the first two 
practical analytical results are those presented by Siegentoaier and Rueppei at 
Linz. 

What we are laddng at present are PN-generation methods that are fast, easily 
implemented and secure in the light of toe approaches above. 

We are also stiil urgently waiting for fast implementation of exponentiation 
algorithms as needed for the RSA-System or the Diffie-Helman Scheme. 

With respect to public key systems it should meanwhile have become dear that, 
although more such systems are strongly sought after, toe imitations of toe 
original RSA idea by means of different permutations over possibly different 
semi-simple algebras is of not much impact, - unless reliable security estimates i.e. 
lower bounds can be achieved. 
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The need for these estimates is not only a question of great urgency In the very 
topic of encryption but also in a general approach towards secure systems. On the 
cme hand tiie realty proposed rather futuristic general systems models, though 
intellectually stimulating, are largely pending on the availability of suitable 
encryption sdhemes. There is no need to refer again to ^e inherent dangers of 
systems based on common sense ratiier than theorems. On the other hand one 
hai to recognize tiie ideas coming from non-secrecy cryptography as described by 
Simmons in his survey lecture on authentication. 

Equally important are the engineering aspects as described by Davi« and Price in 
their survey lecture. But again, qualitatively and quantitatively sufficientsystems 
analysis tools are missing. 

These tools, if they were available, would be of immediate application in the 
design of Hierarchical Key Distribution Systems as they are urgentiy needed in 
large networks as ISDN, but possibly also in the evaluation of Software Protection 
Systems. Although some first systems have been presented in Linz, it is my 
conviction ifiat we are far away from a system that is secure beyond the designed 
man-machine interface, it has been designed for. 

This leads us to the question of new technology in cryptography; 

Except for a paper on proposed analog encryption schemes, by Davida, no 
progress can be reported. Concerning the technology of smart Mrds 
improvement w.r.t, to their memory size and mechanical stability have been 
reported. But the heavy criticism uttered by Simmons and myself at the 
EUROCRYPT '84 is still valid as the British solution by socalled intelligent token is 
still in its experimental phase. 

I would furthermore have liked to see tocculative papers for instance on optical 
scrambling or encryption for solHton tranwiission systems, to name a few. 
Expecially the optical solitons on glass fibres could provide a feasible solution for 
a socalled quantum crypto system i.e. a system which would detect 'information 
theft*. 

Coming down to earth again, I would like to point out the large efforts taken 
internationally towards standardisation. The report by Price on the stato of a 
proposed standard for public key encryption had been followed wito great 
intereiri. 

But with the process of accepting DES as tSO standard being in a rather mature 
state, I would like to draw toe attention to the fact, that when DES was conceived 
more than a decade ago, it was planned to be a standard for toe next TO to 15 
years. It is therefore a surprise to me that in view of the latest releases of 
computer hardware, there was no general effort made or proposed towards a 
replacement of DES or should I say "DES Ersatz"? 



Remark of the editor; these motes have already appeared immediateiy after the cooleremc® in 
lACR NEWSLEHER . June 1985 
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Preface 



In fee sttnfflsef of 1981 Alien Gersho organized fee first major open coafcrence ever 
dcvrmKi to cryptologic mearck This meeting. Crypto '81, was held at fee University of 
Califoraia campus in Santa Barbara. Since then fee Crypto' conference has become an 
annua] event. Ttec are fee prottocdings of fee fifth^ of feeseccMsferenccs, Cty’p^o '85. 

Each section of this volume corresponds to a session at fee mceiing. The papers 
were accepted by fee program comnuttee, sotneumes on fee basis of an tfestract only, and 
appear here widiout having been ofeerwise refereed. The last section contains papers for 
some of the imjuomptu tallrs given at fee tradidonai rump session. Each of these papers 
was refereed by a single uteraber of the propam committee. An author index as wet! as a 
keyword index, fee entries for which were mainly supplied by fee authors, appear at the 
erul of fee volume. 

Unfortunately, two of the papers accepted for presentation at Crypto *85 could not 
be included in this book they are: 

Unique Extrapolation of Polynomial Recunenccs 

J.C, Lagarias and J A. Reeds (A.T. & T Belt Labs) 

Some Cryptographic Applications of Permutation Polynomials and 

Rrrmutation Fimctions 

Rupert Ndbamr (Universilat ftir Bildungswissenschaften, Austria) 

It is n^ great pleasure to acknowledge fee efforts of ail of those who contttbuted to 
makmg these proceedings possible: the authors, program committee, other OTganizers of 
fee meeting, lACR officers and directors, and all fee attendees. I would also like to thank 
Lynn Monix Springer-Vcriag for her patient assistance in preparing this volume. 



Wim^peg, Momtoba, Cmada H.CW. 

JsmisyB^ 



'^Itoreedings of fee other Crypto conferences have also been published. The interested 
reader can find these listed in fee preface of Advances in Crvntoloav 8i (fee proceedings of 
Crypto '84), publfahcd by Springer-'Veriag, 
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A Word from tbe Prograa Chalman 

The Program Committee has worked strenuously to ensure that 
the papers to be presented at Eurocrypt *86 are both interesting 
and relevant to the advance of scientific cryptology. All papers 
were selected from among those submitted — there are no invited 
papers this year. Judging from the quantity and quality of the 
submissions, I would say that cryptology is "alive and well" in 
Europe . 

No Proceedings of Eurocrypt '86 will be published. Partici- 
pants who have Special interest in some paper are urged to 
request preprints (if they exist'.) directly from the author. The 
decision to publish only abstracts from Eurocrypt '86 was based 
partly on the belief that not requiring full papers would 
encourage contributors to speak about their current and 
still-evolving research. Another reason for this decision arises 
from the fact that the International Association for Cryptologic 
Research (lACR) will soon begin to publish its own scholarly 
journal. The President of the lACR, Dr. Dorothy E. Denning, will 
announce the formation of this new journal at Eurocrypt '86. It 
is hoped that Eurocrypt '86 contributors, who have their full 
papers now ready or in preparation, will submit these papers to 
this new journal. It would be nice if "Vol. 1 , No. 1 " of the 
first scholarly journal devoted entirely to scientific crypto- 
logy were to consist primarily of papers from Eurocrypt '86. 



James L. Massey 
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PrefiKc 



This book is the prooiedings of CRYPTO 86, one in a 
series of annual conferences devoted to cryptologic research. They 
have aB been held at the University of CaMornia at Santa Barbara. 
The first conference in this series, CRYPTO 81, organized by A. 
Gersho, did not have a formal proceedinp. The proceedings of the 
following four conferenoss in this series have been pubBsfaed as: 

Advances in Cryptology: Proceedings of Crypto 82, 0. 

Chaum, R. L, Rivest, and A. T. aerman, eds.. 

Plenum, 1983. 

AJvances in Cryptology: Proceedings of Crypto S3, D. 

Chaum, ed., Plenum, 1984. 

Advances in Cryptology: Proceedings of CRYPTO S4, G. 

R. Blakiey and D. Chaum, eds.. Lecture Notes in 
Computer Sdence #196, Springs, 1985. 

Advances in Cryptology - CRYPTO ‘85 Proceedings, H. 

C. Williams, ed., Le^re Notes in Computer Science 
#2X8, Springof, 1986. 



A paraUel series of conferences is held annually in Europe. 
The first of these had its proceedinp published as 



Cryptograpl^: Proceedings, Burg Feuerstein 1982, T. 

Beth, ed.. Lecture Notes in Con^uter Science #i4P, 

Springer, 1983. 

Eurocrypt 83, held in Mardi of 1983 in Udine, Italy, and Eurocrypt 86, 
held in May of 1986 in Linkoping, Sweden, did not have formal 
proceedings, while the '84 and '85 conference proceedings have 
appeared as 



Advances in Cryptology: Proceedings of EUROCRYPT 84, 
T. Beth, N. Cot, and I. Inpmarssoi, eds.. Lecture 
Notes in Computer Science #209, Springer, 1985. 




CRYPTO ’86 



63 



VI 



Advances in Cryptohgy - EUROCRfFT *&S. F. Kchler, 
ed., Lecture Notes in Computer Science #219, %rJunger, 

1986. 

Papers in this volume are presented in seven sections 
containing most of the papers presented in the regular program, and a 
final section based on some of the Informal presentations at the "Rump 
Session* orgainiaed by W. Diitie. Several of the regolaf papers 
presented at the confensnce are not induded in this volume. There was 
a spedal session on integer factorization, and the three papers in that 
section wiU be published in journals; 

C. Pomerance, J. W. Smith, and R, Tuler, A pipeline 
architecture for factoring large mtegers with the 
quadratk; sieve algorithm, SIAM I. Comp, (to appear). 

T. R. Caron and R. D. iilverman, Parallel 
implementation of the quadratu; sieve, J. 
Suporcomputing (to appear). 

M. C. Wunderldi and H. C. Williams, A parallel 
version of the continued fraction integer factoring 
algorithms, J. SNipercomputing (to appear). 

Also, the i^per 

J. G. Osborn and J, R. Everhart, A large conununity 
key distribution protocol, 

was not revised in time for publication. 



It is my pleasure to thank aB thote who make these 
proceedings possible: the authors, organiimrs, and all the attendees. 
^>ecial thanks are due to M. Janssen, Y. Cohen, and the Springer staff 
for their help in the production of this volume. 



Murray Hill, New Jersey 



Andrew M. Odlyzko 
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Preface 



1987 mafkeKi a asajor upswing in attendance and contributions for this fifth in the 
series of Eufoct 5 pt meetings. Response was so great that, to our regret, w« were only 
able to acmmniodatc less than half the subnsittai papers. Attendance was also up by a 
healthy margin. 

The first two open meetings devoted to modem cryptography were organised 
independently; one by Allen Gersho during late Summer 1981 in Santa Barbara,* and 
the other by Thomas Beth and Rudiger Dierstein in Germany the following Spring.^ 
David Chaum organised a successor to the Santa Barbara meeting the next yeas? which 
launched the International Ass»ciatioa for Cryptolt^c Research. The sponsorship of 
the association has enabled the series of annual Summer CRYPTO nKctings in the 
U,S.^^ and annual Spring EUROCRYPT meetinp in Europe to be continued 
unbroken.*'** 

It is our pleasure to thank all those who contributed to making these proceedings 
possible: the authors, programme committee, orgamsing committee, lACR officers and 
dimetors, and aU the attendees. 

We were all deqjly saddened when we learned that Tore Herlestam, a member of 
the programme committee, had died unexpectedly. This volume is dedicated to Mm- 

Amsterdam, the Netherlands D.C. 

London, England W.L.P 

Januaty I9SS 



1. Advanaa to Cryptotogy; A Report oa CRYPTO U. Alkn Gersho. Ed., UCS8 ECE Report oo. 82- 

04, Depanoiem of Ejiwuieal and Coraputer Eagtoeeting. Santa Barbara CA 93106. 

2. Ciypwgraphy: Proceedings. Burg Feuerstein 1982 (Lecture Notes to Computer Saence; 149), Tho- 

mas Beth, Ed., Springer-Veriag, 1983. 

3. Advances to Cryptcdog?; iYoceedtogs of CRYPTO 82, David Chaum, Ronald L, Rivesi, and Alan T 

Shtaanan, Eds., Plenum NY", 1983. 

4. Advances to Cryptology; Proceedings of CRYPTO S3, Etovid Chaum, Ed., Pknum KY, 1984. 
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Prelacs 

Thi* book i« thtt proceedings ot CIttFtO'87. one in a aerie* at annual 
conference* devoted to cryptologic research. For citation* of proceedings of 
CIQtFfO and Eurocrypt conference* before 1986, tee 

Advances in Ccyptology-CEFIPXO'86 Froceedlng*. A. M. Odlyrko, «d. , 

Lecture Motes in Computer Science #263, Springer, 1987. 

Paper* in this volune are organised into seven .sections. The first six 
section* conpriae all of the papers on the regular program, including two 
paper* on the prograst chat unfortunately cere not presented at the ateecing. 

The seventh section contains some of the papers presented at the "Sss^ 

Session" organised fay W. Diffie and also iaelade* a short note by T. R. K. Rao 
uhiCb coatBents on the paper of K. Scruik and J. van tilburg. 

CltyPTO'S? was attended by 170 people cepressntlog 19 countries, 
^sponsible not only for the conference as a whole, G. B. Agneo also took care 
of local arrangenents in Santa Barbara. We all ove his a debt of gratitude 
for his highly successful effort*. 

It is »y special pleasure to thank ay fellou aeabers of the Prograa 
CaiWiittee: 1. A. Beison, E. F. Brickell, A. M. Odlyrko, and 6. J. Siaaaons. 

they all were isost prowpt, efficient, and willing to cheerfully co»pro«i»e on 
dlsagreesents . Hy task would have been hopeless without then. 

I also would like to thank the authors and attendees who «ade CRTFTO‘S7 
such a success. Special thanka ace due to University of Georgia secretaries 
D. Byrd and P. Sisk and I. B. Moncz at Springer for their help in the 
production of this volunae. 



Athens, Georgia 



Carl foaeraoce 




CRYPTO ’87 



77 



CRyPTO»87 

A Conference on the Theory end Applications of Cryptographic Techniques 

held at the University of California, Santa Barbara, 
through the cooperation of the 
Computer Science Department 

August 16-20, 1987 
sponsored by: 

The International Association for Cryptologic Research 



in cooperation with 

The I£££ Computer Society Technical Cotomittee 
On Security and Privacy 



ORGANIZERS 



General Chairman; G. B. Agnew (U. Waterloo) 

Program Committee: T. A. Berson (Anagram Laboratories) 

£. F. Brickell (Bell Communications Research) 
A. M. Odlyzko (AT&T Bell Laboratories) 

C. Pomerance (U. Georgia, Chairman) 

G. J. Simmons (Sandia National Laboratories) 




78 



CRYPTO ’87 Table of Contents 



Standards for data security a change of direction 3 

Price, W. L. 

Integrating cryptography in ISDN 9 

Presttun, K. 

Special uses and abuses of the Fiat Shamir passport protocol 21 

Desmedt, Y., Goutier, C. and Bengio, S. 

Direct minimum knowledge computations 40 

Impagliazzo, R. and Yung, M. 

Noninteractive zero-knowledge proof systems 52 

De Santis, A., Micali, S. and Persiano, G. 

How to solve any protocol probleman efficiency improvement 73 

Goldreich, 0. and Vainish, R. 

Multiparty computations ensuring privacy of each party’s input and correct- 
ness of the result 87 

Ghaum, D., Damgdrd, I. B. and van de Graaf, J. 

Society and group oriented cryptography: a new concept 120 

Desmedt, Y. 

A simple and secure way to show the validity of your public key 128 

van de Graaf, J. and Peralta, R. 

Cryptographic computation: secure fault tolerant protocols and the publickey 

model 135 

Gain, Z., Haber, S. and Yung, M. 

Gradual and verifiable release of a secret 156 

Brickell, E. F., Ghaum, D., Damgdrd, I. B. and van de Graaf, J. 

Strong practical protocols 167 

Moore, J. H. 

Identity based conference key distribution systems 175 

Koyama, K. and Ohta, K. 

On the key predistribution system: a practical solution to the key distribution 

problem 185 

Matsumoto, T. and Imai, H. 

Key distribution systems based on identification information 194 

Okamoto, E. 

Secret distribution of keys for public key systems 203 

Quisquater, J. J. 




CRYPTO ’87 



79 



An impersonation proof identity verification scheme 211 

Simmons, G. J. 

Arbitration in tamper proof systems. If DES approximately=RSA then 

what’s the difference between true signature and arbitrated signature schemes? 

216 

Davida, G. I. and Matt, B. J. 

Efficient digital publickey signatures with shadow 223 

Guillou, L. C. and Quisquater, J. J. 

Security-related comments regarding McEliece’s public-key cryptosystem . . 

224 

Adams, C. M. and Meijer, H. 

Components and cycles of a random function 231 

DeLaurentis, J. M. 

Fast spectral tests for measuring nonrandomness and the DES 243 

Feldman, F. A. 

Other cycling tests for DES 255 

Quisquater, J. J. and Delescaille, J. P. 

A cryptoengine 257 

Davida, G. I. and Danes, F. B. 

A natural taxonomy for digital information authentication schemes . . . 269 
Simmons, G. J. 

Analyzing encryption protocols using formal verification techniques . . . 289 
Kemmerer, R. A. 

Cryptosystems based on an analog of heat flow 306 

Blakley, G. R. and Rundell, W. 

A combinatorial approach to threshold schemes 330 

Stinson, D. R. and Vanstone, S. A. 

A realization scheme for the identity based cryptosystem 340 

Tanaka, H. 

Equivalence between two flavours of oblivious transfers (cryptography) 350 
Crepeau, C. 

A construction for authentication/secrecy codes from certain combinatorial 

designs 355 

Stinson, D. R. 

A digital signature based on a conventional encryption function 369 

Merkle, R. C. 




80 



How to make replicated data secure 379 

Herlihy, M. P. and Tygar, J. D. 

A study of password security 392 

Luby, M. and Rackoff, C. 

A video scrambling technique based on space filling cnrves 398 

Matias, Y. and Shamir, A. 

Secure audio teleconference 418 

Brickell, E. F., Lee, P. J. and Yacobi, Y. 

Attack on the KoyamaOhta identity based key distribution scheme 429 

Yacobi, Y. 

On the F function of FEAL (cryptography) 434 

Fumy, W. 

Patterns of entropy drop of the key in an S-box of the DES 438 

Zeng, K., Yang, J.-H. and Dai, Z. 

The Rao-Nam scheme is insecure against a chosen-plaintext attack 445 

Struik, R. and van Tilburg, J. 

On Struik-Tilburg cryptanalysis of Rao-Nam scheme 458 

Rao, T. R. N. 

A generalization of Heilman’s extension of Shannon’s approach to cryptog- 
raphy 461 

Beauchemin, P. and Brassard, G. 

Multiparty unconditionally secure protocols 462 

Chaum, D., Crepeau, C. and Damgdrd, I. B. 




EUROCRYPT ’88 



81 



Lecture Notes in 
Computer Science 

Edited by G. Goos and J. Haftenanis 



330 



Christoph G. Gunther (Ed.) 



Advances in Cryptology — 
EUROCRYPT '88 

Wwkshop on the Theory and Application 
of Cryptographic Techniques 
Davos, Switzerland, May 25”27, 1988 
Proceedings 



82 



PREFACE 



The loternationid Association for Cryptologic Research (lACR) orgaaisses two in- 
ternational conSerences every year, one in Europe and one in the United States. 
EUROCRYPT*88, held in the beautiful environment of the Swiss mountains in 
Davos, was the sixth European conference. The number of contributions and of 
participants at the meeting has increased sul^tantiaOy, which k an indication of 
the high interest in cryptography and system security in general. 

The interest has not only increased but has also further moved towards au- 
thentication, signatures and other protocols. This is easy to understand in view 
of the urgent needs for such protocols, in particular in connection with open in- 
formation systems, and in view of the exciting problems la this area. The equally 
fascinating classical field of secrecy, t.e. the theory, design and analj^is of stream 
or blodr dpheis and of public key cryptosystems, was however also wdl represented 
and several sigmficant results were communicated. 

The present proceedings contain all contributions wMdr were accepted for 
presentation. The chapters correspond to the sesrions at the conference. 

I am grateM to all authors of these contributions for the careful preparation 
and prompt submission of their papers. On behalf of the General Chairman, it is 
a pleasure to thank the authom and the membeins of the Program Committee for 
having made the conference such an interesting and stimulating meeting. We are 
indebted to the sponsors for thek generous donations and to the members of the 
Organization Committee, who have so perfectly orpmized the meeting. 



Baden, June 1988 



C.G.G. 
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Foreword 



The papers in this volume were presented at the CRYPTO ’88 confer- 
ence on theory and applications of cryptography, held August 21-25, 1988 
ia Santa Barbara, California. The conference was sponsored by the Inter- 
national Association for Cryptologic Research (lACR) and hosted by the 
computer science department at the University of California at Santa Bar- 
bara, 

The 44 papers presented here comprise: 35 papers selected from 61 ex- 
tended abstracts submitted in response to the caU for papers, 4 invited pre- 
sentations, and 6 papers selected from a large number of informal rump 
s^sion presentations. 

The papers wore chosen by the program committee on the basis of the 
perceived originality, quality and relevance to the field of cryptography of the 
extended abstracts submitted. The submissions were not othearwise refereed, 
and often represent preliminary reports on continuing research. 

It is a pleasure to thank many a>lleagues. Harold Predricksen single- 
handedly made CRYPTO *88 a suco^sful reality. Eric Bach, Paul Barret, 
Tom Berson, Gilles Brassard, Oded Goldreich, Andrew Odlyzko, Charles 
Rackoff and Ron Rivest did excellent work on the program committee in 
putting the tedmical program together, assisted by kind outside reviewers. 

Dawn Crowel at MIT did a super job in publicizing the conference and 
coordinating the activities of the committee, and Deborah Gmpp has been 
most helpful in the production of this volume. Special thanks are due to Joe 
Kilian whose humor while assisting roe to divide the papers into sessions was 
indispensable. 

Finally, I wish to thank the authors who submitted papers for consider- 
ation and the attendants of CRYPTO ’88 for their continuing support. 

June 1989 Shaft Goldwasser 

Cambridge, MA 
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PREFACE 



The Intematioadl Afiodatioa for Cryptde^c Eeaearch (lACR) orgwHses two iatem»- 
tioaal confereaces every year, one in Europe «nd one in the United States. EUROCRYPT 
*S9 was the seventh Enropean conference and was held in Routhalen, Beldam on April 
10-13, IMS. With clcMK to 300 participants, it was perhaps the larfest open conference on 
cryptography ever held. 

The field of cryptography is expanding not only because of the increased vuLnerabiBty 
of computer systems and networks to an increasing range of threats, bat also because of 
the rapid progress in cryptographic methods, that the readers can witness by reading the 
book. 

The present proceedings contain nearly all contributions wtueh were presented including 
the talks at the rump session. The diapters correspond to the sessions at the conference. 
It was the first time that a rump session was organis«i on a Euiociypt conference. Sixteen 
impromptu talks were ^vea, and the authors were invited to submit short abstracts of 
their presentations. Because of the special character of this session, the editors have taken 
the liberty to shorten some of these. 

We are grateM to all authors for the careM preparation of their contrihutious. It is a 
pleasure to thank the members of the Program Committee for having made the conference 
such an interesting and stimulating meeting. In parlieukt, we were very pleased with the 
interesting rump sessioa organised by J. Cordon and the uumated open problem session 
organised by E. Biickrdl. We are indebted to the sponsors for th«r generous donations 
and to the members of the Organisation Committee for the smooth organisation of the 
meeting. 



Louvain-la-Meu ve, Belgium 
Louvain, Belgium 
July 1990 



J.-J.Q. 

J.V. 




EUROCRYPT ’89 



95 



EUROCRYPT ’89 Table of Contents 



The adolescence of public-key cryptography (invited) 2 

Diffie, W. 

A secure public-key authentication scheme 3 

Gain, Z., Haber, S. and Yung, M. 

How to improve signature schemes 16 

Brassard, G. 

A generalization of ElGamal’s public key cryptosystem 23 

Jaburek, W. J. and Vienna, G. 

An identity-based key-exchange protocol 29 

Guenther, C. G. 

How to keep authenticity alive in a computer network 38 

Bauspiess, F. and Knobloch, H.-J. 

The use of fractions in public-key cryptosystems 47 

Isselhorst, H. 

A practical protocol for large group oriented networks 56 

FVankel, Y. 

Counting functions satisfying a higher order strict avalanche criterion . . 63 
Lloyd, S. 



A key distribution system based on any one-way function (extended abstract) 



75 

Davida, G. I., Desmedt, Y. and Peralta, R. 

Non-linearity of exponent permutations 80 

Pieprzyk, J. 

Informational divergence bounds for authentication codes 93 

Sgarro, A. 



2n-BIT hash-functions using n-BIT symmetric block cipher algorithms 102 
Quisquater, J. J. and Girault, M. 

A simple technique for diffusing cryptoperiods 110 

Mjoelsnes, S. F. 

A general zero-knowledge scheme 122 

Burmester, M. V. D., Desmedt, Y., Piper, F. and Walker, M. 

Divertible zero knowledge interactive proofs and commutative random self- 

reducibility 134 

Okamoto, T. and Ohta, K. 




96 



Verifiable disclose for secrets and applications (abstract) 150 

Crepeau, C. 

Practical zero-knowledge proofs: Giving hints and using deficiencies . . . 155 
Boyar, J., Friedl, K. aridFAnnd, C. 

An alternative to the Fiat-Shamir protocol 173 

Stern, J. 

Sorting out zero-knowledge 181 

Brassard, G. and Crepeau, C. 

Everything in NP can be argued in perfect zero-knowledge in a bounded 

number of rounds (extended abstract) 192 

Brassard, G., Crepeau, C. and Yung, M. 

Zero-knowledge proofs of computational power (extended summary) . . 196 
Yung, M. 

More efficient match-making and satisfiability 208 

den Boer, B. 

A single chip 1024 bits RSA processor 219 



Vandemeulebroecke, A., Vanzieleghem, E., Jespers, P. G. A. and De- 
nayer, T. 

Cryptel — the practical protection of an existing electronic mail system 237 



Cnudde, H. 

Technical security: The starting point 243 

Van Auseloos, J. 

Security in open distributed processing 249 

Siuda, C. 

A European call for cryptographic algorithms: RIPE; Race Integrity Primi- 
tives Evaluation 267 

Vandewalle, J., Chaum, D., Fumy, W., Jansen, C. J. A., Landrock, P. 
and Roelofsen, G. 

Legal requirements facing new signature technology (invited) 273 

Antoine, M., Brakeland, Jean- Franc, Eloy, M. and P outlet, Y. 

Online cash checks 288 

Chaum, D. 

Efficient offline electronic checks (extended abstract) 294 



Chaum, D., den Boer, B., van Heyst, E., Mjoelsnes, S. F. and Steenbeek, 
A. 




EUROCRYPT ’89 



97 



Unconditional sender and recipient untraceability in spite of active attacks 

302 

Waidner, M. 

Detection of disrupters in the DC protocol 320 

Bos, J. N. E. and den Boer, B. 

Random mapping statistics (invited) 329 

Flajolet, P. and Odlyzko, A. M. 

Factoring by electronic mail 355 

Lenstra, A. K. and Manasse, M. S. 

Cryptanalysis of short RSA secret exponents 372 

Wiener, M. J. 

How to break the direct RSA-implementation of MIXes 373 

Pfitzmann, B. and Pfitzmann, A. 

An information-theoretic treatment of homophonic substitution 382 

Jendal, H. N., Kuhn, Y. J. B. and Massey, J. L. 

Cryptanalysis of a modified rotor machine 395 

Wichmann, P. 

Cryptanalysis of video encryption based on space-filling curves 403 

Bertilsson, M., Brickell, E. F. and Ingemarsson, I. 

Impossibility and optimally results on constructing pseudorandom permuta- 
tions (extended abstract) 412 

Zheng, Y., Matsumoto, T. and Imai, H. 

On the security of Schnorr’s pseudo random generator 423 

Rueppel, R. A. 

How easy is collision search? Application to DES 429 

Quisquater, J. J. and Delescaille, J. P. 

Prepositioned shared secret and/or shared control schemes (invited) . . 436 
Simmons, G. J. 

Some ideal secret sharing schemes 468 

Brickell, E. F. 

Cartesian authentication schemes 476 

De Soete, M., Vedder, K. and Walker, M. 

How to say “no” 491 

Beutelspacher, A. 

Key minimal authentication systems for unconditional secrecy 497 

Godlewski, P. and Mitchell, C. 




98 



Parallel generation of recurring sequences 503 

Guenther, C. G. 

Keystream sequences with a good linear complexity profile for every starting 

point 523 

Niederreiter, H. 

On the Complexity of Pseudo-Random Sequences - or: If you Can Describe 

a Sequence It Can’t be Random 533 

Beth, T. and Dai, Z. 

Feedforward functions defined by de Brujin sequences 544 

Dai, Z. and Zeng, K. 

Nonlinearity criteria for cryptographic functions 549 

Meier, W. and Staffelbach, O. 

On the linear complexity of feedback registers (extended abstract) 563 

Ghan, A. H., Goresky, M. and Klapper, A. 

Linear complexity profiles and continued fractions 571 

Wang, M. 

A fast correlation attack on nonlineaxly feed-forward filtered shift-register 

sequences 586 

Forre, R. 

On the complexity and efficiency of a new key exchange system 597 

Buchmann, J. A., Duellmann, S. and Williams, H. C. 

A new multiple key cipher and an improved voting scheme 617 

Boyd, G. 

Atkin’s test: News from the front 626 

Morain, F. 

Fast generation of secure RSA-moduli with almost maximal diversity . 636 
Maurer, U. M. 

Deciphering bronze age scripts of Crete. The case of Linear A (invited) 649 
Duhoux, Y. 

Faster primality testing (extended abstract) 652 

Bosma, W. and van der Hulst, M. P. 

Private-key algebraic-code cryptosystems with high information rates . 657 
Hwang, T. and Rao, T. R. N. 

Zero-knowledge procedures for confidential access to medical records . . 662 
Quisquater, J. J. and Bouckaert, A. 




EUROCRYPT ’89 



99 



Full secure key exchange and authentication with no previously shared se- 
crets 665 

Domingo-Ferrer, J. and Huguet i Rotger, L. 

Varying feedback shift registers 670 

Roggeman, Y. 

A cryptanalysis of 5fep;fc,m-cascades 680 

Gollmann, D. and Chambers, W. G. 

Efficient identification and signatures for smart cards 688 

Schnorr, C. P. 

The dining cryptographers in the disco: unconditional sender and recipient 

untraceability with computationally secure serviceability 690 

Waidner, M. and Pfitzmann, B. 

Some conditions on the linear complexity profiles of certain binary sequences 

691 

Carter, G. 

On the design of permutation P in DES type cryptosystems 696 

Brown, L. and Seberry, J. 

A fast elliptic curve cryptosystem 706 

Agnew, G. B., Mullin, R. C. and Vanstone, S. A. 




CRYPTO ’89 101 



Lecture Notes in 
Computer Science 

Edited by G. Goes and J. Haitmanis 



435 



G. Kassard (Ed.) 



Advances in Cryptology - 
CRYPTO '89 

Proceedings 




Springer-Veriag 

New York Beriin Heidelberg London Paris Tokyo Hong Kong 





102 



Preface 



Pour Alice 
Qui venue au monde 
froit setnaine* avant l’atNikeneA« 



Crypto is a coafeteace devoted to all aspects of cryptologic research. It has beea 
hdd each year on the campus of the University of California at Santa Barbara since 
1981, when it was first organized by Alan Geiaho. Annual meeting also take place in 
Europe under the name of EUROCRVPT. Both Cryrto and EOROCRYPT conferences 
are now sponsored by the Irdemationttl Amod&tion for Cryptologic Reomrek (lACR), 
which was founded in the wake of CRYPTO *82. You are now holding the proceedinp 
of the ninth CRYPTO meeting: Crypto ’89. Recent previous proceeding of Cryfto 
and Eurocrypt can be died as [2, 3, 4, 5, 8]. For citations of yet earliar proceedings, 
please consult the prefece of Eurocrypt *87 [2J. 

This year’s conference took place on August 20 -24, 1989, It attracted 263 par- 
ticipants coming from 23 countri®:, sbowiag a steady increase in size, and requiring 
a change to a larger lectun: room. This growth b better appreciated if one goes back 
to the preface of CRYPTO *82, which dalms that “fitj was the largest conference of 
its kind (. , . it] attracted over 100 partidpants* Jl] ! Approximately 40% of the at- 
tendees were fr'om the industry, 40% from universities, and 20% from governments. 
The great success of this year’s conference was largely due to the enthusiasm and 
wonderful work done by Kevin McCurl^, who was holding the general chair. We all 
owe him a debt of p^atitude for his total commitment to making CRYPTO *89 a mem- 
orable event. For a more elaborate rq>ort on CRYPTO *89, please read the rqport 
that Kevin has written with my cdlaboration in the lACR Nemhtter (8|. Detdis on 
the new policies that I enforced as pre^am chairperson can be found in [7]. 

The call for papers resulted in §3 submi^ions coming from 18 countries. Out of 
those, 6 were not considered because they arrived after the deadline, 1 was withdrawn, 
45 were accepted, and 2 pairs were asked to merge. The accepted papers were selected 
by the program committee, sometimes on the basis of a rather short abstract. As an 
experiment for the CRYPTO conferrmce, I enforced a blind refereeing process by whidr 
the name of the authors were not revealed to the other members of the program 
committee. The final papers were not refereed at all, and the authors retain full 
responsibility for their contents. Several of the papers are preliminary reports of 
continuing research. It b anticipated that many of these papers will appear m more 
polished form in various technical journals, including lACR’s Journal of CryptoR^y. 
There will be a special bsuc of the Journal of Cryptology devoted to some of the best 
papers of the conference this year. These papers will be refereed by the usual process, 
and Joan Feigenbaum will serve as the special editor for the issue. 
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la additioa to th.« cootributed papers, I scbedvsled three iaidted talks: *K^ag 
the Geimaa aavy's Eaig 3 »a’' by David Kaha, “Digitai si^aaturea: The evolution of a 
fundameaital prunitive" by Silvio Micali, and “A survey of hardware implerwatations 
of USA" by Ernest F. Brickell. Moreover, in order to en«>urage a balance between 
practical and theoretical topics at the conferences, this year’s program featured an 
invited special session on practicai aspects of cryptolo^, which was organized Mid 
chaired by Russell L. Brand. Thus, 53 regular papers were preseated at the con- 
ference. Furthermore, 26 additional papiKS were subnutted on the first day of the 
conference for the traditional “rump session” of impromptu talks organized as always 
by Whitfield Diffie. Of those, 17 accepted for short presentation on Tuesday 
evening, as selected by Wbitfield and me. 

These proceedings contain papers for all the cratrihuted and all but one of the 
invited talks ©ven at the conference. The exception is the invited talk of Silvio Mi- 
caii. Short papera (I imposed a strict limit of fom pag«) am also included for 8 of 
the 17 impromptu talks. Refiecting the structure of the conference, the proceedings 
are arranged in 13 sections (followed by an author index). Each section corresponds 
to one s«»ion of the conference. The first 12 sections contain the contributed and 
invited papm in the order in which they were presented. The last section is devoted 
to the rump session. The sections are organized according to the following themes; 
opening session, why is cryptography hardear than it looks?, pseudo-nmdmnness and 
seK|u^es, <^ptana](ysi3 and implenumtatioo, signature and authentication I and H, 
threshold schemes and key management, key <Ustribation and network security, fast 
computation, odds and mids, zero-knowledge and oblivious transfer, multipart com- 
putation, and the ramp session. 

Two pap«!s in this collection are of historical significance. The proceedings op«» 
with a shmrt paper by David Kahn on the Enigma. You will also find an antique paper 
by Ralph MerUe, describing "A certified digital signature”, wMch was accepted a 
decade ago for pubUcation in the Commuaienfioiw o/lAe ACM, hut which has never 
seen the light of day. I trust you will agree that despite its old age, tlus paper has 
lost none of its interest. Because I wanted Merkle’s paper to appear exactly as it was 
written ten years ^o, I allowed the author one page above the othr^ise very strict 
page Kmit imposed on aU other authors. (Please don't throw bricks at me!) 

It is my peat pleasure to acknowledge the efforts of those who contributed to 
making the conference and ila proceeding possible First of all, I wish to thank 
the propam committee, without whom my task would have been hopeless. Most oi 
them read and made detailed comments on at l<Kist 29 submissions. Besides mywdf, 
the committee consisted of Josh Benaloh (University of Toronto), Russell L, Brand 
(Special smion chairperson, Lawrence Livermore National Laboratory), Clauds 
Crepeau (Massachusetts Institute of Ibchnology), Whitfield Diffie (Bell Northern 
Research), Joan Frigenbaum (ATIeT Bell Laboratories), James L. Massey (MU 
Zentram, Zurich), Jim Omura (Cylink Corporation), Custavus J, Simmons (San- 
dia National Laboratories), and Scott Vanstone (University of Waterloo). Moreover 
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m&ny colleagues outside the committee offered their occasional help. Among 

them, Manuel Blum, Ernest F. BridkeU, Jeff^ Lagarias, Mkhadi Merritt, Larry Ozarow, 
Carl Pomeramce, Jim Keedis, and Moti Yung. 

Of coarse, the most important contribution was that of the authors (indodiag 
those whose submmions could not be accepted because of the large number of very 
high quality submissloas to the coaference this year). I wish to thank the authors 
for taking so seriously into account roy deadline for submission of the find papm. 
The timriiness these proceeding is their doing, together with heavy use of electronic 
mail. More than 300 messages were exchanged by electronic mail between me and 
the authors, totalizing over half a ra^byte of information. Compared to that, I bad 
to make only about 25 long dktance phone caUs, and S Fax’s were exchanged. 

I also wish to thank the session cteurp^sons. In addition to program committee 
members, sessions were chaired by Bob BlaMey, Joan Boyar, Ernest F. Bricbdl, and 
Kevin McCurls^. James L. Msuwey was scheduled to cbur session 10, but he w%i 
unfortunately unable to attend the conference because of an accident on the way to 
the airport. Bob BlaMey was kind enough to chair his session on short notice. 

Many other people deserve thanks for the or^^zation of the conference. Chief 
among them, of course, is Kevin McCurley, the general chairperscm. I wish to thank 
also everyone else who took patrt in the m^uuzation of the meeting, lACR officers 
and directors, and all attendees. I am alK> grateful to three students who helped 
me greatly with my task: Andr^ Berihiaume, PHlippc Hebrais and Sophie Laplantfe 
Lynn Montz and Suzanne Anthony were instrumental at Springer-Verlag in hdping 
me put the proceedings together. 

Last but not least, I wish to express my deepest gratitude to my wife Isabelle and 
newborn daughter Alice for patting up with me while I was working overtime on the 
program in the spring and on the proceeding in the (all. 

Montreal, December 1989 Gdles Brmsttrd 
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Preface 



EURQOtYPT is a confoisncc devoted to all ^pects of ct]flf(tolo#c research, both theorcdcd 
aisd fsactkai, la die last 7 years, the tt^eting has tak«i place once a year « vatioas places in 
Europe. Both these meedn^ a^ die annual Gypw meetings in Califbnua are sptmsored by 
The Inumnationai Association f<»- Cryptologic Rtactrch (IA(3R). htost of the proceedings 
Stan these tn»itings are, like this one, published in Springer-Vertt^'s Lecmre Notes in Com- 
pmer Science saries. 

EuroCrypt 90 took place on May 21-24 at confeiencc owiter Scandcon, siniated in Aitas. 
Denmark. Ttee were txxsas disui 250 participants ftom all over the vmrid. It is a pleasure to 
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Finally, it is a pleasure to acknowledge all those who ctmtriboied to putting together the pro- 
gram of EuroQypt 90 and middng ti«Kc proceedinp a reality. 

First of dl, thanks to the program committee. All of its members put a tremendous amount of 
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Foreword 

Crypto ’90 marked the tenth aaniversary of the Crypto conferences held at the 
University of California at Santa Barbara. The conference was held from August 

11 to August 15, 1990 and was sponsored by the International Association for 
Gryptolo^c Research, in cooperation with the IEEE Computer Society Technical 
Committee on Security and Privacy and the Department of Computer Science of 
the University of California at Santa Barbara. 

Crypto '90 attracted 227 participants from twenty countries around the world. 
Roughly 35% of attendees were from acad<unia, 45% from industry and 20% from 
government. The program was intended to provide a balance between the purely 
theoretical and the purely practical aspects of cryptography to meet the needs 
and diversified interests of these various groups. 

The overall organization of the conference was superbly handled by the general 
chairperson Sherry McMahan. All of the outstanding featur<» of Crypto, which 
we have come to expect over the years, were again present and, in addition to all 
of this, she did a magnificent job in the preparation of the book of abstracts. This 
is a crucial part of the progrsum and we owe her a peat deal of thanks. 

Each year the number and quality of submissions to Crypto hsui been increas- 
ing. This is of course very good for the conference but it does make the task of 
the propam committee more difficult. This year we had 104 papers and abstracts 
submitted from 18 countries. In anticipation of this larger number, the committee 
was expanded to twelve members representing seven countrioi. Having a bi(pg«n; 
committee and a wider global representation p<mk»s certain problems with commu- 
nication, but we Ixdieve these problems are minute in comparison to the benefits 
obtained from having each paper scrutinized by more people and by involving a 
much larger cross-section of the cryptopaphic community in this process. Each 
paper was assigned to thr<» committee members who were then responsible for 
its referedng. Of the 104 submissions, one was withdrawn, 43 were accepted for 
presentation and, of these 43, two were merged into one presentation. All papers 
and abstracts accepted for present ation which contained sufficient dettdl for the 
committee to make a reasonably accurate evaluation of the final form of the paper 
have not been been re-refereed. Rump session contributions and papers accepted 
for presentation based on abstracts with very little detail have been refereed. 

As in oth«x yearz, Whitfield Diffie kindly agreed to coordinate the Rump Ses- 
sion. We would like to take this opportunity to thank Whit for running this very 
important aspect of Crypto over the years and for padoudy accepting to do it 
again. In an dfort to contain the number of short talks given in this session, 
a much harder line was adopted this year. Of the 22 abstracts submitted only 

12 were accepted for presentation. Of these 12, only 6 were submitted for the 
proceedings and all of these have gone through a thorough refereeing process. 
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For this coofeiesce there were three invited speakers and each was given fifty 
minntes to lecture. It was our goal to have topics of current interest, given by noted 
authorities in the area and presented in a manner which would make the lectures 
accessible to a large audience of diversified backgrounds. With this in mind we 
approached Whitfield Diffie (Bell Northern Research), Adi Shamir (Weizmann 
Institute) and Gus Simmons (Sandia National Laboratories) and all accepted. 
We thank them for their outstanding presentations and the enthusiasm which 
they conveyed for the subject. 

We would also like to thank Dr. Tatsuaki Okamoto (NTT Tokyo) for the very 
valuable assistance he provided to us. Dr. Okamoto was on sabbatical leave from 
NTT and was spending this time (August 1989 - August 1990) at the University 
of Waterloo. He kindly volunteered his services and made many very important 
and significant contributions to our efforts with the program. 

Finally, we thank the members of the pn^am committee itself for the very 
fine job they did. Theirs is a task which takes a great deal of time and effort 
and which receives a disproportionate amount of gratitude. Without a complete 
commitment by all members, the task would be impossible. We thank each of them 
for a very thorough and consdentious dfort and aim for thdr very deep dedication 
in making Crypto ’90 successful. Many thanks to Gordon Agnew, Thomas Berson, 
Johannes Buchmann, Yvo Desmedt, Amos Fiat, Kenji Koyama, Ronald Rivest, 
Rainer Rueppel, Marijke De Soete, Dong Stinson, and Hugh Williams. 

Alfred J. Menezes and Scott A. Vans tone 
University of Waterloo 
December 1990 




122 



CRYPTO ’90 



A Conference on the Theory and AppHcaiion of Cryptography 



held at the University of Oalifonua, Santa Barbara, 
August 11-15, 1990 

through the cooperation of the Computer Science Department 



Sponsored by: 

International Associaiion for Cryptologic Research 
in cooperation with 

The IEEE Computer Society Teckniccd Committee 
On Security and Privacy 



General Chair 
Sherry McMahan, Cylink 

Program Chair 

Scott Vanstone, University of Waterloo 



Program Committee 



Gordon Agnew 
Thomas Beison 
Johannes Buchmana 
Yvo Desmcdt 
Amos Fiat 
Kenji Koyama 
Ronald Rii/eit 
Rainer Rueppel 
Marijke De Soete 
Doug Stinson 
Hugh Williams 



University of Waterloo 

Anagram Iiaboratories 

Universitat des Saarlandes 

University of Wisconsin 

Tel-Aviv University 

NTT Basic Research Lab 

Massachusetts Institute of Technology 

Crypto AG 

Philips Research Labs 

Uni versity of Nebraska 

University of Manitoba 




CRYPTO ’90 123 



CRYPTO ’90 Table of Contents 

Differential cryptanalysis of DES-like cryptosystems (Extended abstract) 2 
Biham, E. and Shamir, A. 

A statistical attack of the FEAL cryptosystem 22 

Gilbert, H. and Chasse, G. 

An improved linear syndrome algorithm in cryptanalysis with applications 34 
Zeng, K., Yang, C. H. and Rao, T. R. N. 

Quantum bit commitment and coin tossing protocols 49 

Brassard, G. and Grepeau, C. 

Security with low communication overhead (Extended abstract) 62 

Beaver, D., Feigenbaum, J., Kilian, J. and Rogaway, P. 

Fair computation of general functions in presence of immoral majority . 77 
Goldwasser, S. and Levin, L. 

One-way group actions 94 

Brassard, G. and Yung, M. 

Solving large sparse linear systems over finite fields 109 

LaMaechia, B. A. and Odlyzko, A. M. 

On the computation of discrete logarithms in class groups (Extended ab- 
stract) 134 

Buchmann, J. A. and Duellmann, S. 

Matrix extensions of the RSA algorithm 140 

Chuang, Chih-Ghwen and Dunham, J. George 

Constructing elliptic curve cryptosystems in characteristic 2 156 

Koblitz, N. 

Identification tokens - or: Solving the chess grandmaster problem 169 

Beth, T. and Desmedt, Y. 

Arbitrated unconditionally secure authentication can be unconditionally pro- 
tected against arbiter’s attacks (Extended abstract) 177 

Desmedt, Y. and Yung, M. 

Convertible undeniable signatures 189 

Boyar, J., Chaum, D., Damgdrd, I. B. and Pedersen, T. P. 

Unconditionally Secure Digital Signatures 206 

Ghaum, D. and Roijakkers, Sandra 

Geometric shared secret and/or shared control schemes 216 

Simmons, G. J. 




124 



Some improved bounds on the information rate of perfect secret sharing 

schemes (Extended abstract) 242 

Brickell, E. F. and Stinson, D. R. 

Collective coin tossing without assumptions nor broadcasting 253 

Micali, S. and Rabin, T. 

A key distribution ’’paradox” 268 

Yacobi, Y. 

A modular approach to key distribution 274 

Fumy, W. and Munzert, M. 

Structural properties of one-way hash functions 285 

Zheng, Y., Matsumoto, T. and Imai, H. 

The MD4 message digest algorithm 303 

Rivest, R. L. 

Achieving zero-knowledge robustly 313 

Kilian, J. 

Hiding instances in zero-knowledge proof systems (Extended abstract) 326 
Beaver, D., Feigenbaum, J. and Shoup, V. 

Multi-langnage zero knowledge interactive proof systems 339 

Kurosawa, K. and Tsujii, S. 

Publicly verifiable non-interactive zero-knowledge proofs 353 

Lapidot, D. and Shamir, A. 

Cryptographic applications of the non-interactive metaproof and many- 

prover systems (Preliminary version) 366 

De Santis, A. and Yung, M. 

Interactive proofs with provable security against honest verifiers 378 

Kilian, J. 

On the universality of the next bit test 394 

Schrift, A. W. and Shamir, A. 

A universal statistical test for random bit generators 409 

Maurer, U. M. 

On the impossibility of private key cryptography with weakly random keys 

421 

Mclnnes, J. L. and Pinkas, B. 

How to time-stamp a digital document 437 

Haber, S. and Stometta, W. Scott 




CRYPTO ’90 125 



How to utilize the randomness of zero-knowledge proofs (Extended abstract) 
456 



Okamoto, T. and Ohta, K. 

Fast software encryption functions 476 

Merkle, R. C. 

CORSAIR: A smart card for public key cryptosystems 502 

De Waleffe, D. and Quisquater, J. J. 

Fast checkers for cryptography 515 

Kompella, K. and Adleman, L. M. 



Complexity theoretic issues concerning block ciphers related to D.E.S. 530 
Cleve, R. 



The REDOC II cryptosystem 545 

Cusick, T. W. and Wood, M. C. 

A recursive construction method of S-boxes satisfying strict avalanche crite- 
rion 564 

Kim, K., Matsumoto, T. and Imai, H. 

A comparison of practical public-key cryptosystems based on integer factor- 
ization and discrete logarithms 576 

van Oorschot, P. C. 

Nonlinear parity circuits and their cryptographic applications 582 

Koyama, K. and Terada, R. 



Cryptographic significance of the carry for ciphers based on integer addition 

601 

Staffelbach, O. and Meier, W. 

Computation of discrete logarithms in prime fields (Extended abstract) 616 
LaMacchia, B. A. and Odlyzko, A. M. 



Systolic modular multiplication 619 

Even, S. 

Finding four million large random primes 625 

Rivest, R. L. 

The FEAL Cipher Family 627 

Miyaguchi, S. 

Discrete-log with compressible exponents 639 

Yacobi, V. 




EUROCRYPT ’91 



127 



D. W. Davies (Ed.) 



Advances in 
Cryptology- 



EUROCRYPT ’91 



Workshop on the Theory and Application 
of Cryptographic Techniques 
Brighton, UK, April 8-11. 1991 
Proceedings 



Lecture Notes in Computer Science 547 



Springer-Verlag 

Berlin Heidelberg New York 
London Paris Tokyo 
Hong Kong Barcelona 
Budapest 




128 



Preface 



A scries of open workshops devoted to modem cryptology began in Santa Barbara, 
California in 1981 and was followed in 1982 by a European counterpart in Burg 
Fcurstcin, Germany. The series has been maintained with summer meedngs in Sanm 
Barbara and spring meetings somewhere in Europe. At the 1983 meeting in Santa 
Barbara the Inamational Association for Cryptologic Research was launched and it 
now sponsors all the meetings of the series. 

Following the tradition of the series, papers were invited in the form of extended 
abstracts and were reviewed 1^ the programme corrunittec, which Selected those to be 
presented. After the meeting, full papers were produced, in some cases vrith improve- 
ments and corrections. Ihesc papers form the main part of the present volume. They 
are placed in the same order that they took at the meeting and unto the same headings, 
for case of reference by those who attended. The clasSfIcarion under these headings 
was a little arbitary, needing to fit the timing of the day's activities, but it makes a 
workable method of arrangement. 

Also following tradition, a “nimp session” was held during one evening, under the 
effective chairmanship of John Gordon. These were short presentations and those 
present found tficm to have some real interest, therefore we have taken the unusual stq> 
of including short papers contributed by the rump session speakers at the end of this 
volume, with a necessarily simplified review process. 

There was no attempt by the programme committee to guide the programme 
towards particular themes, though the interests of the committee iiKmbcrs may have 
influeced the shape of the meeting. In our admittedly rough classification the laggest 
group was about sequences, the term interpreted rather widely. The next Iriggest group 
concerned cryptanalysis, which was welcomed because cryptanalysis is the criterion by 
which algorithms and protocols in cryptography must be judged. 

Zero-knowledge interactive protocols figured less this year than at cariier meedngs - 
a consequence of the submissions we received, not of policy. 

Smaller groups of papen dealt with S-box criteria, signatures and new ideas in 
public key crypto^aphy. Then there were many papers placed into sessions labelled 
“thcOTy” and “applications”. 

My task as programme chair was made easier by the high quality of papers we 
rweiv^, though we revetted having to reject some of the papers because of time 
limitations. I would like to thank the programme committee for its hard work of 
reviewing papers and the organizing committee for ensuring that everything ran 
smoothly, including the social events. Then, of course, rite authors deserve many 
thanks for favouring Eurocrypt '91 with the publication of their excellent work and for 
preparing their final papen; with (in most cases) admirable despatch. 



London, August 1991 



Donald W. Davies 
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Preface 



The Crypto '91 conference, sponsored by the International Association for Cryptologic Re- 
search (lACR), took place at the University of California in Santa Barbara, August 11 - 
15, 1991. The conference was very eitioyabie and ran very smoothly, largely because of the 
cfibrts of General Chair Burt Kaliski and his colleague at RSA Data Security, Inc. 

There were 115 submissions, two of which were not considered because they arrived after 
the deadline. Three of the remaining 113 were withdrawn by their authors. Of the 110 
submissions considered by the Program Committee, 36 were chosen for presentation at the 
conference; in two cases, the resvUs presented were combinations of two related submissions. 
In addition, the Committee chose three invited speakers. All of the contributed talks and 
two of the invited taias resulted in papers ...r this volume. Please remember that these are 
unrefereed papers and that the authors bear full responsibitity for their contents. Many of 
these papers represent work in progress; we expect that the authors will write final papers 
for rrfereed joumab when their work is complete. 

For the third year in a row, submissions were requited to he anonymous. This year, we 
had an acplidt rule that eadi Program Committee member could be an author or coauthor 
of most one accepted paper. Program Committ^ members’ submissions were wionymous 
and went through the same reviewing process as other submissions. 

It is my pleasure to acknowledge the efforts of those who contributed to mining the con- 
ference a success. First of all, I wish to thank the Program Committee, which consisted of 
Tom Betson (Anagram Laboratories), myself, Ingemar Ingemarsson (University of Linkop- 
ing), Ueli Maurer (Princeton University and ETH Zurich), Kevin McCuriey (Saadia Hationai 
LaWatories), Michael Merritt (AT&T Bell Laboratories), Moni Naor (IBM Almaden), Eiji 
Okamoto (NEC Japan), Josef Pieprayk (University of New South Wales), Tony Roaati (New- 
bridge Microsystems), and Moti Yung (IBM Yorktown). Many of us relied on colleagues and 
Mends for help in evaluating the submissions - those who helped include Martin Abadi, 
Josh Benaioh, Ernie Brickeil, Mike Burrows, Don Coppersmith, Urid Feige, Matt fVanklin, 
Stuart Habd, Mike Luby, Andrew Odlyzko, Alon OrUtsky, and Jim Ree^. As usual, we all 
thank Whit DiflEie for organizing the rump session. I thank Gilles Brassard for agreeing 
the last minute to chair the first session of the conference and for providing alt of the Latex 
macros that I used to put together the procee<hngs. Ruth Shell was extremely helpful in 
processing all <rf the suWissions, acknowledgements, acceptances, and rejections. 

Finally, I thank the authom for sending in their submissioiu (even the ones that were 
rejected), the speakers, and all of the partidpsmts in this and other lACR conferences. We 
have established a good tradition, and I hope it continues. 



Murray Hill, NJ 
December, 1991 



Joan Fdgeabaum 
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Preface 



A series of open workshops devoted to modern cryptology began in Santa Barbara, 
California in 1981 and was followed in 1982 by a European counterpart in Burg 
Feuerstein, Germany. The series has been maintained with summer meetings in 
Santa Barbara and spring meetings somewhere in Europe. At the 1983 meeting in 
Santa Baihara the Internationa! Association for Cryptologic Research was launched 
and it now sponsors all the meetings of the series. 

Eurocrypt '92 in Hungary was a special meeting in many ways. For the first time, it 
was held in an Eastern European country. Our charming Hungarian hosts turned 
Ae conference into an unforgettable experience for all of us. Also for the first time, 
the General Chair and the Program Chair were based in diffeent countries. The 
Program Committee was selected very internationally, which implied that joint 
meetings were impossible in the course of setting the program. It was encouraging 
to see ho\v swiftly disputes could be resolved by electronic mail. To ease its 
burden, the official Program Committee of Eurocrypt ‘92 obtained help from many 
renowned researchers and scientists. Here is the final list of all those people (that 1 
know of) who helped during the refereeing phase. 

Brandt, Brkkell, Charpin, Crepeau, Csirmaz, Damgird, Denes, Etesmedt, 
Feigenbaum, Fell, Fujioka, Girault, Colic, Helleseth, Itoh, Joux, Kenyon, 
Koyama, Kurosawa, Landrock, Matsui, Matsumoto, McCurley, Merritt, 
Miyaguchi, Miyaji, Morain, Morita, Nemete, Odlyzko, Ohta, Okamoto, 
Quisquater, Rueppel, Sake, Sakurai, Santha, Seberry, Shamir, Simmons, 
Stafifelbach, Stern, Tanaka, Vajda, Valle, Vang, Yung. 

The Rump Session, this time held more in the spirit of a recent results session, was 
chaired by Laszlo Csirmaz. Some of the presentations, after a simplified review 
procedure, were selected for publication in these proceedings. They can be found 
at the end of this volume. 

For the first time, a panel discussion was organized, entitled "The Eurocrypt '92 
Controversial Issue: Trapdoor Primes and Moduli". The topic was mainly 
motivated by the public debate on the draft standard on digital signatures 
proposed by NIST. The panel members produced an interesting report which is 
included in this volume. 

Following the tradition of the series, the authors produced full papers after the 
meeting, in some cases with revisions. These papers form the main part of the 
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VI 

present volume. They are placed in the same order that they took at the meeting 
and under the same headings, for ease of reference by those who attended. 

My thanks go to the "extended" Program Coiiunittee, to the General Chair Tibor 
Nemetz, to the Organizing Committee, and last but not least to the authors who 
contributed their recent results. They all have invested their time and effort to 
make Eurocrypt '92 a success. 



Zurich, October 1992 



Rainer A. Rueppel 
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Preface 



Crypto’92 took place on August 16-20, 1992. It was the twelfth in the series of annual 
cryptology conferences held on the beautiful campus of the University of Califoniia, Santt 
Barbara. Once again, it was sponsomd by the International Association for Cryptologic 
Research, in cooperation with the IEEE Computer Society Technical Comrruttee on 
Security and PrivtKy. The confoence ran smoodily, due to the diligent efforts of the gen- 
eral chair, Spyros Magltveras of the UnivHsity of Nebraska. 

Chie of the measures of the success of diis scries of conferences is represented by die ever 
increasing number of papers submitted. Ihis year, there were 135 sulmiissions to the con- 
ference, which reprerems a new record. Following the practice of recent program commit- 
tees, the papers received anonymous review. The program committee accxpt^ 38 papers 
for presentation, fti addition, there were tw> invited presentations, one by Mies Sraid on 
the Digital Signature Standard, and one Mike Fellows on presenting the concepts of 
cryptology to el«nentary*age smdents. nicse proceedings contains these 40 papers plus 3 
papers that were presented at die Rump Session. I would like to thank ail of die authors of 
the submitted pa^s and all of the spe^ers who presented papers. 

I would like to expn»s my sincere appeciatimi to the work of the program committte: Ivan 
Damgaid (Aarhus University, Denmark), Oded Goldreich (Tcchnion, Isr^l), Burt Kaliski 
(RSA Data Security, USA), Joe Kilian (NEC, USA). Neal Koblitz (University of 
Washington, USA), Ueli Maurer (ETH, Switzerland), (2hris Mitchell (Royal Holloway, 
UK), Kazuo Ohta (NTT, Japan), Steven Rudich (Carnegie Mellon, USA), and Yacov 
Yacx^ ^elkore, USA). I would also Uke to thank Joan Boyar fewr agreeing to chair one of 
the sessions. 



Ernest Brickcll 
Albuquerque, NM 
August, 1993 
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Preface 



Euroaypi k a $cffes of ope» work^<^s o« the theory and applicaiioa of ciy^ographic 
techniques. These me«tlngs have t^n place in Eoiopc every year since 1982 and are 
sponsored by the International Associatitm for Ciyptolofic Research (lACR). 

Eurocrypt’ 93 was l^ld on l«ky 23-27 at Hotel Ulknsvang. beautifully kteated in the village 
of Lofthus in the he« of Norway’s Qord district. T!«s coaf«en« attracted 266 ^rtscipants 
ffom 29 countti^. It k a pleasant to thank the local orgaiustm of tbs conference and the 
genera] chair Kite Prestttin. A special ackROwledgment to Leif Nilsen whose ttedication and 
neinendous effort was mtcial to make the conference a very successful tme. 

The <al for papers resulted in 117 submissions wifli autiiars r^resenting 27 Afferent 
eounUies. The accepted papers ware selected by the prt^ram committee ^ter a blind 
refereeing {n'oeess where the autiim of ti» pa|wis were unteown to the propam tscmimlttee 
membets. Because of the number of papers the members of the program committee 
were encouraged to ask reliable colkagues for assktanos in tite evaluation of the papers. The 
program cemminee had the difScuIt task selecting only 36 of these papers for pr^titation 
at the (mfetencte. In atMlticm Professmf Ernst Selmer was especially invited to present a 
talk at the confereooe. 

The rump session this year was chaired by Ingemar Ingemarssfflt. Smne of the pesentations 
were, afta a simplift^ review proce^, selected for publication in tiiese proceedings and can 
be found at the end of this volume. 

I would like to ttiank all the people who contributed to the w<»k of potting together the 
of Eurocrypt’93. I am indeln^ to tiie members of the propam (remnuttw for tbeir 
time and crmscientious effort in the evduation and selection of papers fca" pr^ntation at 
the conference, I am also grmefol to the 31 additional reviewers wto asskted the fffograat 
committee members in their evaluation. A special tbani^ to my ctdleague g^vlnd Ytrehus 
for Ms valuable assistance in handling tlK conespondcnce to the authors and preparing the 
proceedings. Finally, 1 would like to thank all the mithors for submitting so many good 
papers and for thek roepnation in preparing this volunte. 



Bergen. October 1993 



Tbr Helleseth 
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PREPAOE 



The CRYPTO ’93 conference was sponsored by the International Association 
Cryptologic Research (lACR) and BeU-Northern Research (a subsidi^y of 
rthern Telecom), in co-operation with the IEEE Computer Society Technical 
mmittee. It took place at the University of California, Santa Barbara, &om 
gust 22-26, 1993. This was l^e thirteenth annual CRYPTO conference, all of 
ich have been held at UCSB. The ^inference was very epjoyable and ran very 
ootbly, largely due to the efforts of the General Chair, Paul Van Oorschot. 
was a pleasure working with Paul throughout the months leading up to the 
iference. 

There were 136 submitted papers which were coMidered by the Program 
mnuttee. Of these, 38 were selected for presaitation at the conference. There 
3 also one invited talk at the conference, presented by Miles Simd, the title of 
ich was “A Status Report On the Federal Government Key Escrow System ” 
The conference also included the customary Rump Session, which was presided 
ii by Whit Oiffie in his usud mimitabie fashion. Thanks again to Whit for 
;anizing and running the Rump session. This year, the Rump Session included 
interesting and lively panel discussion on issues pertairung to key escrowing, 
ose taking part were W. EHffie, 3. Gilmore, S. Goldwasser, M. Heilman, A. 
raberg, S. Micadi, R. Rueppel, G. Simmons and D. Wdtzner. 

These proceedings contain revised versions of the 38 contributed talks, as 
11 as two talks from the Rump Sesdon. Please remember that these papers 
r uurefereed, and many of than represent work in progre®. Some authors will 
ite final versions of their papem for publication in refereed journals at a later 
le. Of course, the authors bear full responsibility for the contents of their 
pets. 

I am very grateful to the members of the Program Committee for their hard 
tk and dedication in the difficult task of selecting less than 30% of the sub- 
tted papers for pr®entation at Hie conference. The members of the program 
nmittee were as follows; 

Mihir BeUare (IBM T. 3. Watson) 

Eli Biham (Technion, Israel) 

Ernie Brickell (Sandia Laboratori®) 

Joan Peigenbaum (AT&T BeB Laboratories) 

Russell Impagliazzo (UCSD) 

Andrew Offiyzko (AT&T Bdl Laboratories) 

Tatsuaki Ok^oto (NTT, Japmi) 

Birgit Pfitzmann (Hildesheim, Germsuay) 

Rdner Rueppel (R^, Switzerland) 

Scott Vanstone (Waterloo, Canada) 

As has been done since 1989, subnoiiasions to CRYPTO ’93 were required to 
anonymous. As well, we followed recent tradition which dictates thad Program 
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Committee members could be an author or co-author of at most one accepted 
paper. Papere submitted by members of the Program Committee underwent 
the normal reviewing proc^ (and, of course, no Program Committee member 
reviewed his or her own paper). 

Thanks to Jimmy Upton for help with the pre-proceedings that were dis- 
tributed at the conference (incidentally, thk is the last year that CRYPTO will 
have both pre-proceedings and proceedings — starting in 1994, the proceedinp 
will be available at the conference). Thanks also to Gus Simmons and Carol 
Patterson, who helped out with registration at the conference. And I would also 
like to convey my gratitude to Deb Heckens and my student, K. Gopalakrishnan, 
for their assistance. 

Finally, I would like to thank everyone who submitted talks for CRYPTO ’93 . 
It goes without saying that the success of the conference depends uHimately on 
the quality of the submksions — CRYPTO has been and remains a leading con- 
ference in the discipline due the the high quality of the papers. I am also grateful 
to the authors for sending me final versions of thdr papers for publication in 
thrae proceedings in a timely fashion. 



Douglas Stinson 
Program Chair, CRYPTO ’93 
University of Nebraska 
November, 1993 




162 



CRYPTO ’93 Table of Contents 

Efficient signature schemes based on birational permutations 1 

Shamir, A. 

A new identification scheme based on syndrome decoding 13 

Stem, J. 

The shrinking generator 22 

Coppersmith, D., Krawczyk, H. and Mansour, Y. 

An integrity check value algorithm for stream ciphers 40 

Taylor, R. 



Nonlinearly balanced boolean functions and their propagation characteristics 

49 

Seberry, J., Zhang, X. M. and Zheng, Y. 

A low communication competitive interactive proof system for promised 



quadratic residuosity 61 

Itoh, T., Hoshi, M. and Tsujii, S. 

Secret sharing and perfect zero-knowledge 73 

De Santis, A., Di Crescenzo, G. and Persiano, G. 

One message proof systems with known space verifiers 85 

Aumann, Y. and Feige, U. 

Interactive hashing can simplify zero-knowledge protocol design without com- 
putational assumptions 100 

Damgard, I. B. 

Fully dynamic secret sharing schemes 110 

Blundo, C., Cresti, A., De Santis, A. and Vaccaro, U. 

Multisecret threshold schemes 126 

Jackson, W. A., Martin, K. M. and O’Keefe, C. M. 

Secret sharing made short 136 

Krawczyk, H. 



A subexponential algorithm for discrete logarithms over all finite fields 147 



Adleman, L. M. and DeMarrais, J. 

An implementation of the general number field sieve 159 

Buchmann, J. A., Loho, J. and Zayer, J. 

On the factorization of RSA-120 166 

Denny, T., Dodson, B., Lenstra, A. K. and Manasse, M. S. 

Comparison of three modular reduction functions 175 

Bosselaers, A., Govaerts, R. and Vandewalle, J. 




CRYPTO ’93 163 



Differential cryptanalysis of Lucifer 187 

Ben Aroya, I. and Biham, E. 

Differential attack on message authentication codes 200 

Ohta, K. and Matsui, M. 

Cryptanalysis of the CFB mode of the DES with a reduced number of rounds 

212 

Preneel, B., Nuttin, M., Rijmen, V. and Buelens, J. 

Weak keys for IDEA 224 

Daemen, J., Govaerts, R. and Vandewalle, J. 

Entity authentication and key distribution 232 

Bellare, M. and Rogaway, P. 

On the existence of statistically hiding bit commitment schemes and fail-stop 

signatures 250 

Damgdrd, I. B., Pedersen, T. P. and Pfitzmann, B. 

Joint encryption and message-efficient secure computation 266 

Franklin, M. K. and Haber, S. 

Cryptographic primitives based on hard learning problems 278 

Blum, A., Furst, M., Kearns, M. and Lipton, R. J. 

Extensions of single-term coins 292 

Ferguson, N. 

Untraceable off-line cash in wallets with observers 302 

Brands, S. 

Discreet solitary games 319 

Crepeau, C. and Kilian, J. 

On families of hash functions via geometric codes and concatenation . . 331 
Bierbrauer, J., Johansson, T., Kabatianski, G. A. and Smeets, B. 

On the construction of perfect authentication codes that permit arbitration 

343 

Johansson, T. 

Codes for interactive authentication 355 

Gemmell, P. and Naor, M. 

Hashfunctions based on block ciphers: a synthetic approach 368 

Preneel, B., Govaerts, R. and Vandewalle, J. 

Security of iterated hash functions based on block ciphers 379 

Hohl, W., Lai, X., Meier, T. and Waldvogel, G. 




164 



Improved algorithms for the permuted kernel problem 391 

Patarin, J. and Chauvaud, P. 

On the distribution of characteristics in composite permutations 403 

O’Connor, L. 

Remark on the threshold RSA signature scheme 413 

Li, C. M., Hwang, T. and Lee, N. Y. 

Another method for attaining security against adaptively chosen ciphertext 

attacks 420 

Lim, C. H. and Lee, P. J. 

Attacks on the birational permutation signature schemes 435 

Coppersmith, D., Stern, J. and Vaudenay, S. 

Interaction in key distribution schemes 444 

Beimel, A. and Chor, B. 

Secret-key agreement without public-key cryptography 456 

Leighton, T. and Micali, S. 

Broadcast encryption 480 

Fiat, A. and Naor, M. 




EUROCRYPT ’94 165 



Alfredo De Santis (Ed.) 



Advances in 
Cryptology - 
EUROCRYPT ’94 



Workshop on the Theory and Application 
of Cryptographic Techniques 
Perugia, Italy, May 9-12, 1994 
Proceedings 



Lecture Notes in Computer Science 950 




Springer 




166 



Preface 

Eurocrypt is a series of open worlsshops devoted to sdl asp^s of c^rptoic^c 
r^arch, both theoretical aad practical. The first workshop was held in 1982, 
and since then the meetings have taken place in vmous places in Europe, The 
Eurocrypt meetings and the Crypto meetings in Santa Barbara, California, are 
sponsored by the International Association for Cryptologic Research (lACR) . 

Eurocrypt 94 was held on May 9--12, 1994, in Perugia, an Italian city that 
was a eity-state of Etruria in the 7th and 6th centuries BC. It is a pleasure to 
thank the general chair William Wolfowitcs and the organising committee, who 
all contributed to make a well organised sund successful conference. 

There were 137 submitted paper* which were considered by the Prr^am 
Committee, Of th«e, 2 were withdrawn and 36 were selected for pr^ntation 
and publication in the proceedings. 'Two of the papers appearing in the pro- 
ceedings merged papem from two submissions. These proceedings contain 
revised versions of the M < 20 Btributed talks. Each paper was sent to at least 3 
members of the Program Committee for (omments. Revisions were not checked 
on their scientific aspects. Some anthots will write final versions of their p^rs 
for publication in refereed journals. Cfi* course the authors bear full r«^ponsibUity 
for the contents of thdr papers. 

Silvio Micali, MIT, gave a brilliant invited tali on the Clipper Chip and Fair 
Cryptosystems. 

I am very grateful to the 1 1 meinbsre of the Program Committee for their 
hard work and the difficult task of sdectbg about 38% of the submitted papers. 
As usual, submissiorm to Eurocrypt 94 were requimd to be anonymous. The 
more recent tradition that a Program Committee member can be the author of 
at moat one accepted paper has been followed. Papers submitted by members of 
the Program Committee were sent to all other members. The entire refereeing 
process was done by electronic mail. 

The following referees and external experts helped the Program Cfommitteq 
in reaching their decisions: S. R. Blackburn, Carlo Blundo, S. Boucheron, Gilles 
Brassard, Odoardo Brugia, Marco Bucci, Mike Burmester, Claude Carlet, Pas- 
cale Chapin, JeMa-Marc Couveignes, Eteneg, Giovanni Di Gre«enzo, Michele 
Elia, Piero Filipponi, Torn Fujiwara, Marc Girault, Akira Hayasbi, Toshiya 
ItcA, Hugo Krawesyk, Kaoru Kurosawa, Antoine Joux, James Mai^y, Mitenm 
Matsui, Tsutomu Matsumoto, Natsumc Matsuraki, Ifenato Mmicocci, Chris 
Mitchell, Atsuko Miyaji, Emilio Montolivo, Francois Motain, David M’raihi, 
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Scan Murphy, Giuseppe P^iano, Jean-Marc Piveteau, G, M. Poscetti, Jean- 
Jacques Quisqaater, Kouiebi Sakurai, Mlkles Santha, ISiicotas Sendrier, Matteo 
Sereno, Hiroki Shizuya, Dan Simon, Markus Stadier, Othmar Sl^clbach, Doug 
R. Stios<m, S< 'Prigila, Ugo Vacciao, Serge Vaudenay, Jeroen van de Graaf, P. R. 
Wild, William Wolfowicz. The Program Committee appredates their effort. 

The rump session was chaired by Yvo Desmedt, Them were 2S presenti^iona , 
of which 11 appear in the pro<%dlmgs. 

Spedal thanks to Carlo Blundo and Giovanni Di Crescenzo for their help. 
Finally, I wouM ike fes thank everyone who submitted to Eurocrypt ’^4. 



Uiuvctsity of Salerno, ItsJy Almdo De Santis 

July Program Chair, EUROCRYPT ’94 
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PREFACE 

The CEYPTO *94 conference is sponsored by the International Association for 
Cryptolo^ Ee«e»rch (LACE), in C5o-operati<nj with the IEEE Computer Society 
Tedtnieal Committee tm Security and Privacy. It has taken jjJace at the Univer- 
sity of California, Santa Barbara, from August 21-25, 11^. This is the fourteenth 
annuid CRYPID conference, all of which have been held at UCSB, This is the 
irst time that prooieidings are availabie at the conference. The General Chair, 
JhnnQr E. Upton has been responsible for local organhsation, re^tration, etc. 

There were 114 submitted papers which wwe consider^ by the Pr^Mii 
Committee. Of these, 1 was withdrawn and 38 vra'e selected for the pro<*ed- 
ings. Thare are aliKj 3 invited talks. Two of these are rni aspects of cryptogra- 
phy in the commercial world. The one on hardware aspects will be presented 
by David Maher (AT&T), the one on software aspects by Joseph Pato (Hewlett- 
Packard). Thfflre will also be a panel discussion on “Securing an Electromc World: 
Are We Eeady?* The panel members will be: Rosa Anderson, Bob Biakley, Ma*t 
Blaze, George Davida, Yvo Desmedt (moderator), Whitfield Diffie, Joan Feigoi- 
baum, Blake Greenlee, Martin Heilman, David Maher, Miles Smid. The topic of 
the fianel will be introduced by the invited talk of Whitfield Difhe on “Securing 
the Information Hl^way.” 

These proceedings contain revised versions of the 38 contributed talks. Each 
paper was sent to at least 3 members of the program committee for comments. 
Revisions were not dtedked on thdr sdentific aspects. Some authorii will write 
foial versions of their papers for publication in refereed journals. Of course the 
authors bear full responsitniity for the contents of their papers. 

I am very grateful to the members of the Program Committee for their hard 
work and the difficult task of selecting roughly 1 out of 3 of the submitted papers. 
As has been done since 1989, submissions to CRA'PTO ’94 were required to be 
anonymous. The mwe recent tradition, introduced since 1991, that a Program 
Committee member can be the author of at most one accepted paper hi» been 
followed. Papers submitted by members of the Program Committee w«e sent 
to at least 4 referees (and, of course, no Program Committee member reviewed 
bis or her own paper). 

The following referees and external experts helped the Program Commit- 
tee in readhing their decisions: Amos Beimel, Josh Benaloh, Eli BUiam, Carlo 
Blundo, Gilles Brassard, Benny Chor, Philippe Delsarte, Yair FVankel, Atsushi 
Fujioka, Oded Goldreich, Dan Gordon, Thmnas Hardjono, Gene Itkis, Markus 
Jakobsson, Burt Kahski, Hugo Krawczyk, Kaoru Kurosawa, Eyai Kushilevitz, 
Susan Langford, Hendrik Lenstra, Carsten Lund, Kevin McCurley, Yi Mn, Moni 
Naor, Seffl Naor, Kazuo Ohta, Kevin Phdps, Jean-Jacques Qiibquater, Venkate- 
san Ramarathnam, Jim Reeds, Ron M. ^th, Rei Safavi-Haini, Ryuiciii Sd«d, 
Doug Stinson, Jimmy Upton, Paul Van Oorsdiot, Scott Viuistonc and YuUang 
Zheng, The Progrmn Conimittee appreciates thrir effort. 

Thanks to iSi Biham fe helping with postscript, Tom Cusick for being willing 
to provide a badtup to read e-mail, Daw Rasmussen for or^tnizing the automatic 
mmling fadllty used to distribute Information, Marg Feen^ and Ann Libert 
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for secretarial work, Carlo Blundo, Giovanni Di Crcscenzo, Ugo Vaccaro and 
WiUiain Wolfowicz for helping out at the last minute. I would also like to thank 
my lu»it8 of my sabt»ttcai year, Shimon Even, Scott Vanstone and Alfredo De 
Santis, where most (rf work towm-ds the conference took pla<». Several people 
have helped the General Chiur with sendii^ out the call for papers, registration, 
registrsdion at the conference, etc. 

Finally, I would like to thank everyone who submitted to CRYPTO ’94. It 
goes without saying that the success of the amference depends ultimately <m 
the quaUty of the suhmusions — CRYPTO has been and rem^s a leading 
confoence in the discipline due to the high quaUty of the papers submitted. I 
am also grateful to the authors for sending me final versions of their papers for 
{HibUcation in these proceedings in a timely fashion. 



Yvo I^medt 

Program Chair, CRYPTO ’94 
Umveraty of Wisconsin - Milwaukee, USA 
Salerno, Italy, June, 1994. 
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PREFACE 



EUROCRYPT ’95. Sponsored by the International Affiociation for Crypto* 
logic Research (lACR), in cooperation with the Centre Comnran d’Etudes de 
TfS^isiot) et T6lfeommunications (CCETT), a workshop on the theory and ap- 
plications of ciy'ptographic techniques takes place at the PalMS du Grand Large. 
Saint MalOs FVanoe, May 21-25, 1995. 

The General Chair of EUROCRYPT '95 is FVangoise Scarabin. The Orga- 
nkation Committee was helped by Maryvonne Lahaie and her conununieation 
team. Moreover, the CCEFf has generously provided the help of a young En- 
glish lady, Miss Virginia Cooper, for the secretariat of bcAh the OrganizsAion and 
Program Cojnmltte^, They all did an excellent job in preparing the conference. 
It is our pleasure to thank them for their essential work. 

lACR and EUROCRYPT. According to a very good su^eation expressed 
during CRYPTO '82, the Association was established at CRYPTO '83. 'Today, 
the Association has approximately 500 members and the mailing file managed 
by its Secretariat consists of more than 2 000 names. 

Tlie main goal of the Association is the sponsoring of two annual conferences: 
CRYPl'O, every summer at the University of California, Santa Barbara (UCSB), 
and EUROCRYPT, every spring in a different European country. Morecit'er, the 
Association edits quarterly the Journal of Cryptology {.loC). 

After 2 conferences held in 1982 in Burg Ffeuerstein (Germany ) and in 1983 in 
Udine (Italy), the name EUROCRYPT was used for the very first time in 1984 in 
Paris (PVaiKM). Since then, EUROCRYPT has taken place at a variety of venues: 
in 1985 in Linz (Austria), in 1986 in Linkoping (Sweden), in 1987 in Amsterdam 
(Netherlands), in 1988 in Davos (Switzerland), in 1989 in Houthalen (Belgium), 
in 1990 in Aarhus (Denmark), in 1991 in Brighton (United Kingdom), in 1992 
in Balatonfured (Hungaria), in 1993 in Lofthus (Norway) and in 1994 in Perugia 
(Italy). EUROCRYPT '96 is planned to take place in Sarragossa (Spain). 

Previous Proceedings. The following 24 proceedings have b«:tt published for 
conferences held at UCSB (CRYFrO) and in Europe (EUROCRYPT). 

1. Admno^ in Cryptology: a Report on CRYPTO 81, ECE Report no. 82-04, 

Allen Gerslm, Ed., BCE Dpt, UCSB, Santa Barbara, CA 931«. 

2. Cryptography; Proceeding, Burg Feuerstein, 1982, 

T. Beth, Ed., LNCS 149, Springer- Verlag, 1983. 

3. Advances in Cryptology: Proceedings of Crypto 82, 

D. Chauin, R. L. Rivest and A, T. Sherman, Eds., Plenum, NY, 1983. 

4. Advances in Cryptolo^: Proceedings of Crypto 83, 

D, Chaum, Ed., Plenum, NY, 1984. 

5. Advances in Cryptotogy: Proceedings of EUROCRYPT 84, 

T. Beth, N. Cot and I. Ingermarsson, Eds., LNCS 209, Spriager-Verls^, 1^. 

6. Admrmes in Cryptology: Proceedings of CRYPTO 84, 

R. Blakley and D. Chaum, Eds., LNCS 196, Springer- Verlag, 1985. 
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7. Advances in Cryptology: Pm«edingB of EUROCRYFT ’85, 

F. Pidiier, Ed., LNCS 219, Spru^er-Verlag, 1986. 

8. AdvGuaoes in Cryptology: CRYPTO *85, 

H. C. WiUiaina, Ed., LNCS 218, Sprin^r-Verl^, 1986, 

9. Advan^ in Cry(rtolq|y: CRYPTO '86, 

A. M. Odly*k>, Ed., LN<S 263, Springer. Verlag, 1987. 

10. Advan^ las Cryptology: EUROCRYPT ’87, 

D, Chanm and W. L. Price, Eds., LNCS 304, Springar-Verlag, 1988. 

11. Advances in Cryptology: CRYPTO ’87, 

C. Pomerance, Ed., LNCS 293, Springer- Verlag, 1988. 

12. Advance in Cryptolr^: EUROCRYPT ’88, 

C. G. Giinthier, Ed., LNCS 330, Springer- Verlag, 1988. 

13. Advances in Cryptok^: CRYPTO ’88, 

S. Goldwasser, Ed., LNCS 403, Springer- Verlag, 1989. 

14. Advances in Cryptology: EUROCRYPT *89, 

J.-J. Quisquater and J. Vaadewalle, &k., LNCS 434, Springer- Verl^, 1990. 

15. Advances in Cr 3 rptology; CRYPTO ’89, 

G. Brassard, Ed., LNCS 435, Springer-Verlag, 1990. 

16. Advances in Cryptology: EUROCRYPT ’90, 

I. B. Damgard, Ed., LNCS 473, Springer-Verlag, 1991. 

17. Advances in Cryptology: CRYPTO ’90, 

A. J. Menezes and S- A. Vanstone, Eds,, LNCS 537, Sprin^r- Verlag, 1991. 

18. Advances In Cryptology: EUROCRYPT ’91, 

D. W, Davies, Ed., LNCS 547, Springer-Verlag, 1991, 

19. Advsmces in Cryptology: CRYPTO ’91, 

J. Fingenbamu, Ed., LNCS 576, Springer- Verlag, 1992. 

Advances in Cryptolr^: EUROCRYPT ’92, 

R. A. Rucppel, Ed., LNCS 658, Springer-Verlag, 1993. 

21. Advances in Cryptology: CRYPTO ’92, 

E. F. Bricteli, Ed., LNCS 740, Springer-Verlag. 1993. 

22. Advan«» in Cryptok^: EUROCRYPT ’93, 

T. HfiUiseth, Ed., LNCS 765, Springer-Verlag, 1994. 

23. Advances in Cryptobgy: CRYPTO '93, 

D. R. Stinson, Ed., LNCS 773, Springer-Verlag, 1994, 

24. Advan^ in Cryptology: CRYPTO ’94, 

Y. O. Dtetnedt, Ed., LNCS 839, Springer-Verlag, 1994. 

No proceedings were publisbed for the conferences held in 1983 in Udine (Italy) 
and in 1986 in Linkoj^ng (Sweden). Moreover at the time of writing this preface, 
the proceeding of EUROCRYPT ’94 held in Perugia (Italy) are still wanting for 
publication. A cweful examinatkm of the list induces the following five remarks. 

- The wtnds ‘Advances in ayptoiogy’ appeared on the first pror^edings, 

- Since 1984, CRYPTO and EUROCRYPT are written in capitals. 

- Since EUROCRYPT ’85, the number of the year k preceded by 

- Since CRYPTO ’85, the words 'Proceedings of’ have dis^peared. 

- Among these 24 proceedings, 21 were published by Springer Verlag. 
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Submissions, Program, Proceedings. CRYPTO ’94 and EUROCRYPT ’95 
are the firafc two lACR conferences where the proceeding are available at the 
confererrce; the subsequent adrance of the submission deedlka^ by two months 
explains the slight decrease in the number of submissions: 135 at CRYPTO ’92, 
117 at EUROCRYPT ’93, 136 at CRYPTO ’93, 137 at EUROCRYPT ’94, 114 
at CRYPTO '94, 113 at EUROCRYPT ’95. 

This outcome does not ^pear to be bng term, there being 150 submissions 
for CRYPTO ’95. Equally the Board of Directors of the lACR is currently looking 
at solutions to address this problem for later conferences. 

Thus the Program Committee of EUROCRYPT ’95 received 113 submfeions 
among which cme was withdrawn by the author and one 1^ the Pr<^ram Chair 
for double submission. The editors would like to thank eveiyone who submitted 
a paper. The success of a confereaice depends ultimate^ upon the quality of 
the contributions. EUROCRYPT and CRYPTO have been and remain leading 
conferences in cryptolo©r due to the high quality of the submissions. 

Each paper was submitted far evaluatbn and comments to at least 4 members 
of the Program Cmnmittee, The process was anonymous, as it has been since 
1989. The Program Committee has selected 33 papers among the 111 remaining 
submissbns, i.e., slightly less than one third. 

The rule, introduced In 1991 , whereby a member of the Program Committee 
can be the author of at most one accepted paper, htai been respited. Moreover, 
a new rule states thit the status of Prt^am Chair is not compatible with that 
of author. 

The Program Ch^ is very pateful to all the members of the Program Com- 
mittee for their hard work. It was a pleasure working with all of them. 

Several experts helped the Program Committee members in reaching their 
decisions. In the name of the Program Committee, the Pit^am Chair would 
also like to mcpress here his appreciation for their efforts and their expert!^. 

The editors thank the authors for providing them in due time with the final 
versions of their papers. The availability of the proceedings at the conference is 
a significant propess, appreciated by the editors and also, by each participant. 

The Author Index at the end of this book consists of 60 names. We know the 
date of birth of 30 peoples in this list: 7 are in their forties; 11 in their thlrti^; 
12 in their twenties, four of tiiera being only 24 years old! The youngest one 
will be 24 on the last day of the conference. The significant percentage of young 
authors is an encouraging sign of vitality of the lACR conferene®. 

Rump Sffljsion. The rump session is now an <^tablfehed tradition at lACR 
conferences. It aims at presenting the most recent results mid at <^tabllshing 
the consfcestation of results presented in the other sessions. The public^iott of 
the proco^ini^ at the conference seriously reduces the po^lbility of publishing 
the rump talks in the book. However, one contestation has been presented in 
due time and the corresponding rump talk is provided as the last paper of this 
book. As long os feir play is respected, such a contestation is another proof 
of the vitality of the lAGR conference. Of course, each author bears the full 
responsibility for his or her paper. 
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Special SciSsion. In the prc^ram, a special session is dedicated to the intro 
duction of arithmetic co-processors in tlie security se!f-prc®rammable oiie-diip 
microcomputers (SPOMs), such as those used in smart cards. Allowiitg an ef- 
ficient use of PK and ZK techniques, such aritlimetic co-processors will deeply 
modify the use of smart cards in their various applications. 

With the agreeiB^-rifc of the Program Committee, the Program Chair set up a 
Special Committee chaked by Pascal Chour (AQL) and Marc Girault (SEPT). 
With the help of Guy Monnier (SGS Thomson) and David Arditti (CNET-Paris), 
the Sperdal Committee has done an admirable job in orienting and focusing the 
preparation of the three invited talks of the special session and in orgatifeing a 
corresponding illustrative exhibition. 

David Naccache (Gemplus), Michel Ugon (Bull CPS) and Peter Landrock 
(Cryptomathk) have agreed to draft and to talk respectiwly on the follcjwing 
three aspects: hardware (architectural principles, trade-offs, performances, provi- 
sional calendars of the silimn founders); software (possible security mechanisms 
for functional aspects, such as digital signature, entity authentication, key man- 
agement, file management, card issuing); applications (estimated consequences 
in major applications such as banking, telephone, television, health care, net- 
work security, electronic purse, transportation ... ). A copy of the three talScs is 
available for each participant as a special pre-publication. 

The subject is particularly hot if we consider the major work of Europay 
International, MasterCard International and Visa Intcrncrtiona! in drafting the 
so-called EMV specifications. The goal of the three organizations is a general 
worldwide use of SPOMs in credit cards. The present production of SPOMs for 
smart cards is about 30 million pieces per year, approximately one half of which 
are for bankurg purposes. The needs of the banks which are members of the tliree 
international organizations are evaluated around 300 million pieces per j'eai'. 

Ten years ago, EUROCRYPT’ '84 held a special session on smart cards; 
at that time, we were at the very beginning of a general Ftench development 
with the publication of specifications, in January 1384, by the GIE des Cartes 
Bancairra, the French interbank association; today, we ate on the verge of a 
general worldwide development with the publication of the EMV sp«iflcations. 

However the EMV phenomena should not. hide all the other emerging ap- 
plications, I^et us quote Gustavus J. Simmons; “Smart cards wiil put a sophis- 
ticated inhuimtion-integnty device in the wallet or purse of practically every 
peima ia the industrialized world, and will there/bre probably be the meet extea- 
sim applicMtiau ever made of cryptf^raphic mhcmaf’ {Preface of Contemporary 
Cryptohg}’, Tim Science of Information Integrity, IEEE Press, 1992) . 
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PREFACE 



The Ciypto ’95 conference was sponsored by the InfcernationaJi Association 
for CryptoSo^ Eesearcb (lACR), in cooperation with the IEEE Computer So- 
ciety Technical Committee on Security and Privacy, and the Computer Sci^ioe 
Department of the University of California, Santa Barbara. It took place at the 
University of California, Santa Barbara, from August 27-31, 1§95. Thb was the 
fifteenth annual Crypto conference; all have been held at UCSB. For the second 
time, proceedings were available at the conference. The General Chmr, Stafford 
Tavares, was responsible for local organization and registration. 

The Program Committee considered 151 papers and sheeted 36 for presen- 
tation. There were also two Invited talks. Robert Morris, Sr. gave a talk on 
“Ways of Loeing Information,” which included some oon-c^ptographic means 
of leaking secrets that are often overlooked by cryptographers. The second talk, 
“Cryptt^raphy - Myths and Realities,” was given by Adi Shamir, this year’s 
lACE Distinguished Lecturer. Shamir is the second person to reedve this honor, 
the first having been Gus Simmons at Crypto ’94, 

These proceedings contain revised versions of the 36 contributed talks. Elach 
paper was sent to at least three members of the program ojmmittee for com- 
ments. Revisions were not checked on their scientific aspects. Some authors will 
write final versions of their papers for publicatbn in refereed journals. Of course, 
the authors bear full responaibility for the (intents of their papers. 

I am very gratrful to the members of the Program Committee for their hard 
work and the difficult task of selecting one quarter of the submitted papers. 
Following recent traditions, the submissions were anonymous; and each pre^ram 
committee member could be the author of at most one accepted paper. 

We thank the following referees and external experts for their help on va- 
rious papers: Philippe Beguin, Mihir Beilare, Charles Bennett, Gilles Bra^ard, 
Florent Chabaud, Chrb Charnes, Yair FVankel, Atsushi Pujioka, Thomas Hard- 
jono, Philippe Hoogvorst, Nobuyuki Imoto, Ibshiya Itoh, Sushil Jajodta, Lars 
Knudsen, Paul Kochet, Miteuru Matsui, Tsutomu Matsumoto, David M’R^hi, 
Yi Mu, Raftiil Ostrovsky, Eiji Okaraoto, Ibtsuaki Okamoto, David Poiiftchevsl, 
Rel Safavi-Naini, Kouichi Sakurai, Jennifer Seberry, Hiroki Shizuya, Dan Simon, 
Othmar Staffelbach, Jacques Stern, Moti Yung and Xlan-Mo Zhang. 1 apologia© 
for 8uiy omissions. 

I thank Baruch Schieber and Prabhakar Ragha\an for help with software and 
LaTeX; Barbara White and Peg Cargiulo for secretarial help; and Yvo D^roedt, 
Jimmy Upton and Peter Landrock for advkc on the mechanics. 

Finally, thanks go to ail who submitted papers for Crypto ’95. The succt^ of 
the conference depends on the quality of ite submissions. 1 am also thankfttl for 
all the authors, who cooperated by delivering their final copy to me in a timely 
fashion for the proceedings. 
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PREFACE 



The EUROCRYPT ’96 conference was sponsored by the International hm>d~ 
ation for Cryptologic Research (lACR)', in cooperation with the University of 
Saragossa. It took place at the Palacio de Congregos in Saragossa, Spain, dwing 
May 12 16, 1996. This was the fifteenth annual EIJROCRYPT conference (this 
name has been used since the third conference held in 1984), erudh of which has 
l>een held in a different city in Europe. For the second time, proceedings were 
available at the conference. Jose Pastor Franco, the General Chair, was respon- 
sible for local organization and registration. His contribution to the success of 
the conference is gratefully acknowledged. 

The Program Committee considered 126 submitted papers and selected 34 
for presentation. Each paper was sent to all members of the Program Committee 
and was assigned to at least three of them for careful evaluation. There were also 
two invited talks. James L. Massey, this years lACR Distinguished Lecturer, 
gave a lecture entitled ‘‘The difficiilty with dilficulty”. Massey is the third to 
receive this honor, the first two being Gustavus Simmons and Adi Shamir. Shafi 
Goldw'asser gave an invited talk entitiwi “Multi party secure protocob: past and 
present” . 

These proceedings contain revised versions of the 34 contributed talks. While 
the papers were carefully selected, they have not been refereed like submissions 
to a refereed journal. The authors bear full responsibility for the contents of their 
papers. Some autliors may write final versions of their papers for publication in 
a refereed journal. 

I am very grateful to the members of the Program Committee for generously 
spending much of their time on the difficult task of selecting the papers to 
be presented at the conference. Following recent tradition, the subinbsions were 
anonymous. Each committee member could be an author of at most one accepted 
paper. 

The help of the following referee.s and external experts in evaluating variouis 
papers is gratefully acknowledged: Philippe Beguin, Matt Blaze, Daniel Bleichen- 
bacber, Bert den Boer, Antoon Bosselacrs, Jprgen Brandt, Gilles Brassard, Chris- 
tian Cadiin, Jan Camenisch, Han Canetti, Florent Chabaud, Ronald Cramer, 
Scott Decatur, Markus Dichtl, Marten van Dijk, Jan-Hendrik Evertse, Joan 
Feigenbaum, Eiichiro Fiyisaki, Rosario Geimaro, Jean Geordiades, Jeroen van 
de Graaf, Louis Granboulan, Shai Halevi. Erwin Hess, Martin Hirt, Hobuyuki 
Imoto, David-OUvier Jaquet-Chiffelie, Stasio Jarecki, Mike Just, Gregory Ra- 
batianski, Volker Kessler, Lars Knudsen, Jack Lacy, Frangoise Levy-dit-Vehel, 
Mitsuru Mateui, Willi Meier, J. Merkie, Kazuo Ohta, Torliert Pede^jen, David 
PoinlehevaL Mike Reiter, Vincent Rijrnen, Kazue Sako, Berry Schoeninakers, 

' The main purpwsc of ihe lACR is to sponsor two annual conferences: CRYPTO, every 
summer at the University of California, Santa Barbara ( UCSB), and EUROCRYPT, 
every spring in a different European rountry. The lACR also publish^ the Journal 
of Cryptology. 




EUROCRYPT ’96 201 



VI 



Peter Schweitzer, J. P. Seifert, Peter Sbor, Markus Stadler, Jacques Stern, Ra- 
marathiiam Venkatesan, Stefan Wolf, Aaron Wyner, and Hirosuke Yamamoto. 
I apologize for p<»sible omissions. 

Special thanks go to Martin Hirt for his help with the organization of the 
committee’s work and with the preparation of the proceedings. Martin Burkart 
provided help with software for automatically handling correspondence with 
authors, Don Copperamith, Louis Guillou, Kevin McCurley, and Jean-Jacqu«s 
Quisquater gave advice for the organization of the committee’s work. Louis pro- 
vided LaTeX files for preparing parts of these proceedings. 

Finally, I would like to thank all w'ho have submitted papers to EURO- 
CRYPT ’96 and to the authors of accepted papers for their cooperation. 



March 1996 



Ueli Maurer 
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Preface 



Crypto '96, the Sixteeath Annual Crypto Conference, is sponsored by the 
International Asmciation for Cryptologic Research (lACR), in cooperation 
with the IEEE Computer Society Technical Committee on Security and Pri- 
vacy and the Computer Science Department of the University of California at 
Santa Barbara (UCSB). It takes place at UCSB from August 18 to 22, 1996. 
The Cenerai Chair, Richard Gravemati, is responsible for local organization 
and registration. 

The scientific program was organized by the 16- member Program Com- 
mittee. We considered 115 papers, (An additional 15 submissions had to be 
summarily rejected because of lateness or major noncompliance with the con- 
ditions in the Call for Papers,) Of these, 30 were accepted for presentation. 
In addition, there will be five invited talks by Ernest Brickell, Andrew Clark, 
Whitfield Diflie, Ronald Rivest , and Cliff Stoll. A Rump Session will be chaired 
by Stuart Haber. 

These proceedings contain the revised versions of the 30 contributed talks. 
The submitted version of each paper was examined by at least three com- 
mittee members and/or outside experts, and their comments were taken into 
account in the revisions. However, the authors (and not the committee) bear 
full responsibility for the content of their papers. 

A successful Crypto conference requires the combined efforts of many peo- 
ple, In the first place I wish to thank the members of the Program Com- 
mittee, who devoted a tremendous amount of time and energy to reading 
the papers and making a difficult selection. They are: Mihir Bellare, Josh 
Benaloh, Matt Blaze, Johannes Buchmann, Don Coppersmith, Joan 
Feigenbaum, Andrew Klapper, Lars Knudsen, Peter Landrock, Tsutomu 
Matsumoto, Chris Mitchell, Paul Van Oorschoi, Bart Preneei, Rainer 
Eueppel, and Jacques Stern. They were assisted by the following outside ex- 
perts, whom I would also like to thank: Martin Abadi, Birgit Baum, Charles 
Bennett, Antoon Bosselaers, Gilles Brassard, Fiorent Chabaud, Giovanni 
Di Cr^cenzo, Matthew FVanklin, Jovan Colic, Louis Granboulan, Russell 
Impagtiazzo, Markus Jacobsson, Thomas Jakobsen, Jack Lacy, Xuejia Lai, 
Kevin McCurley, Kaisa Nyberg, David Poiatchevat, James Reeds, Mike 
Reiter, Vincent Rtjmen, Dan Simon, Doug Stinson, Serge Vaudenay, 
Michael Waidtier, Michael Wiener, Yakov Yakobi. I apologize for any omis- 
sions in this list. 

I would next Eke to thank the authors of all the papers (not just the ones 
that we were able to accept) for their hard work and cooperation. In partic- 
ular, I very much appreciated the positive spirit with which they complied 
with the new requirement of a 1-page statement about the oral pr^ntation, 
even though this was a further imposition on their time. The authors' 1-page 
statements turned out to be useful to me and the reviewers in several ways: 
in determining whom to ask to evaluate the paper, in getting an informal 
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overview (which the authors might aot have found appropriate to include in 
the formal paper), and sometimes in deciding between acceptance and rejec- 
tion in a borderline case. 

Finally, I want to thank a few other individuals who made the job of Pro- 
gram Chair more tractable and rewarding. It was a pleasure to work with the 
General Chair, Richard Graveman, who was helpful and cooperative beyond 
the call of duty. Scott Vanstone was an important source of encouragement in 
the first period adter my appointment as Propam Chair, when I was afraid 
that I would do everything wrong. My wife Ann provided some useful sugges- 
tions, as well as the reassuring perspective of a historian of science who knows 
that any damage caused by my mistake will be of no importance in the next 
millennium. 



Neal KoblitJ! 
June, 1996 
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Preface 



EuaocRYPT ’97, the 15tb annual Eurocrypt conference on the theoiy and 
application of cryptographic techniques, was organized and sponsored by the 
Intemahoim! for Cryptoio^c Research (lACR). The lACR 

organizes two series of international conferences e^h year, the EimoCRYPT 
m^ing in Europe and CRYPTO in the Unitwi States. 

The history of EUROCRYPT started 15 years ago in Genmny with the Burg 
Feuerstem Workshop (see Springer LNCS 149 for the proceedings). It was due 
to Thomas Beth’s initiative and hard work that the 76 participants from 14 
countries gathered in Burg Feuerstein for the fim open meeting in Europe 
devcRed to modan cryptography. I am proud to have been one of the 
participants and still foridly remember my first encounters with some of the 
celebrities in cryptc^raphy. 

Since diose early days the confereiKc has been Wd in a different location in 
Europe each year (Udine, Paris, Linz, Link6ping, Amsterdam, Davos, 
Houthalen, Aarhus, Brighton, Balantonfiired, Lofthus. Perugia, Saint*Malo, 
Saragossa) and it has enjoyed a steady growth. Since the second conference 
(Udine, 1 983) the lACR has been tnvolval, since the Paris meeting in 1 984, the 
name Eurocrypt has been used For its 15th anniversary, EUROCRYPT finally 
returned to Gcnnany. 

The scientific program for EUROCRYPT ’91 was put together by a 18-member 
program committee which considered 104 high-quality submissions. These 
proceedings contain the revised veraions of tlw 34 papers that were accepted 
for presentation. In addition, there were two invited talks by Ernst Bo\'«lander 
and by Gerhard Frey. 

A successful Eurocrypt conference requires die combined efforts of nmy 
people. First, I would like to thank the members of the program committee, 
who devoted a tremendous amount of time and energy to reading the papers 
and making die difficult selection. They are; Michael Buiroester, Har^ 
Dobheitin, Marc Gtrault, Shaft Goldwasser, Alain P. Hiltgen, Don B. Johnson, 
PtI Joong Lee, Tsutomu Maisurnmo, David Naccache, Kaisa Nyberg, Paul 
Van Oorschot, Torben P. Pedersen, Josef Pieprzyk, Bart Preneel, Rainer 
Rueppel, Claus Schnorr, and William Wolfowicz, 

In addition, I gratefully acknowledge the support to the prograun committee by 
the following experts; Albrecht Beutelsjmcher, Simon R, Blackkim, Carlo 
Blundo, Antocm Bo^Iaers, Odoardo Brugia, Marco Bucci, Anne Canteaut, 
Chris Charnes, Ivan Etamgird, Yvo Desmedt, Erik De Win, Markus Dtchtl, 
Michele Elia, Piero Filipponi, Marc Fischlin, Roger Fischlin, Steven Galbraith, 
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Odcd Goldrcich, Dieter Gollmann, Shai Halevi, Helena Handschuh, Erwin 
Hess, Stanislaw Jarccki, Joe Kilian, Lars R. Knudsen, Xuejia Lai, Ftm^oise 
Levy-dit-Vehel. Keith M. Martin, Willi Meier, Alfned Mairass, Renato 
Menicocci, Ehinieie Miociancio, Freda Mihailescu, Thomas Mittelholzer, Sean 
Murphy, Pascal Paillier, Birgit Pfitzmann, Tal Rabin, Ifevid M'Raihi, Vincent 
Rijmeo, Ron Rivest, Rei Safavi-Naini, Jacques Traor6, and Peter Wild. I 
apologize to those whose names have inadvertently escaped this list. 

I also thank Alfred Bdllesbach, Roland Mailer, Roland Nehl, and Susaiwie 
ROhrig for taking the rcsposibility to organize EUROCRYPT ’97, and Christina 
Strobe! for her help with the proceedings. 

Finally, I would like to thank the authors of all submissions (including those 
w'bose papers could not be accepted because of the lar^ number of high- 
quality submissions received) for ^eir hard work and cooperation. 



March 1997 



Walter Fumy 
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Preface 

Crypto ’97, the Seventeenth Annual Crypto conference organized hy the 
bitemational Association for Cryptologic Research (lACR) in cooperation 
with the IEEE Computer Society Technical Committee on Security ard 
Privacy and the Computer Science Department of the University of 
California, Santa Barbara, represents aiK«her step forward in the steady 
progression of the science of cryptology. There is both a tremendCHis need for 
and a great amount of worlc on securing information with cryptologic 
technology. As one of the two atmual meetings held by tiie lACR, the Crypto 
conference provides a focal point for presentation and discussion of res^rch 
on sd! aspects of this science. 

It is thus a privilege to cocrrdinate the efforts of this commimity in focusing 
on its steps forward. Crypto '97 is a ornference for its community, and to the 
researchers who have contributed to it — those whose papers appear in the 
proceedings, those whose submissions were not accepted, and those who have 
laid the foundation for the work — dw immunity owes a debt of gratitude. 

The process of developing a conlerence program is a challenging one, and 
this year’s committee matte the process both enjoyable and effective. My 
thanks go to Antoon Bosselaers, Gilles Brassard, Johannes Buchmann, ivan 
Damg&rd, Donald Davies, Alfredo de Santis, Susan Langford, James L. 
Massey, Moni Naor, David Naccadie* Tatsuaki Okamoto, Douglas Stinson, 
Michael J. Wiener, Rebecca Wright, and Yuliang Zheng for many hours of 
reviewing submissions and presenting their comments to the committee. 

My thanks also to the committee's two advisory mcmb^s, Neal Koblitz and 
Hugo Krawcyzk, the program chairs of Crypto '96 and '98. Neal’s experience 
from a year ago and Hugo's perspective on the year ahead have helped to 
make this year’s confeence what it is, and should provide continuity to the 
next one. 

Continuing a recent tradition, the review process for Crypto '97 was 
conducted entirely by e-mail and fax, witlUHit a program committee meeting. 
Each submission was assigned anonymously to three committee members 
(though many submissions were reviewed by more than three people), and 
decisions were made through several rounds of e-mail discussions. Of tte IbO 
submissions recdv^, the committee accepted 36, of which 35 s^pear in final 
form in timse proceedings. Except for the papers themselves, ncarty idl 
correspondence with authors was also conducted by e-mail, 
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Gilles Brassard and OcM Goldreich complete this year’s program with their 
invited lectures on quantum information processing and tite thewetical 
foundations of cryptology. My aCT^eclation to both of ttwm, as well as to 
Stuart Hab^, wl» chairs the conference’s informal rump ^ssion (whose 
p^rs, due to logistics, cannot be included in these proceedings). 

The program oommiUee ber^fited from the expertise of many colleagues: 
Carlisle Adams. Carlo Blundo, Dan Boneh. Jprgen Brandt, Ran Canetti, Don 
Coppersmith, Eiik De Win, Giovanni Di Ctescenzo, Matthew Franklin, 
Atsushi Pujioka, McMto Fujisaki, Rosario Gennaro, Helena Handscfauh, 
Michael Jacotemt Jr., Markus Jaitobsson, Joe Kilimi, Lars Knudsen, 
Tetsutaro Kobayastu. Ftan^oise Levy-dit-Vehel, Keith Martin, Markus 
Maurer, Andreas Meyer, David M’raihi, Volker Mueller, Stefan Neis, Kobhi 
Nissim, Kazuo Obta, Pascal Paillier, Sachar Paulus, Giusqppe Peansiano, Erez 
Petrank, Benny Pinkas, Bart Preneel, Tal Rabin, Omer Reingold, Mike Reiter, 
Pankaj Rohatgi, Taiichl Saitoh, Berry Schoenmakws, Martin Strauss, Edlyn 
Teske, Shigenoil Uchiyama, Pmil Van Oorschot, Susanito Wetzel, and Hugh 
Williams. My hanks to eawh one, as well as to any others whom I have 
Inadvertently omitted. 

The successful organization of this year's confta-ence Is due to its general 
chair, Bruce Schneier. The fuiuhons of general chair aaid program chair are 
for the most part independent, but at those times where collaboration was 
required, Bruce was very bdpful, and I predate the oRKHtunity to have 
worked with him. On behalf of Brace, I would also like to exumd my timnks 
to R^[giad CartiU' and Karen Cockier for their assistance in the csrganizatlon of 
Crypto '97. 

My wmk was also not without assistance, and I would like to thank Ari Juels 
and Gem Sireen for their participation in administrative aspects of the 
program. 

to the Proverbs, it is writt^. "It is the glory of God to wnceal a thing; but the 
homxtr of kings is to search out a matter." The search for knowledge about 
GTjptology — itMlf the science of secrets — is an es^ntial part of protecting 
irionnation in today’s increasingly open wm-ld. Anotter stqp in this search is 
expressed in thcsse proceedings. May the search of such matters, and the 
seardi ftr Jorowledge about cryptology, continue for many years to come. 



Bun Kallski 



June 16, 1997 
Bedford, Massachusetts 
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intractibility) 

collision resistance (see collision 
intractibility) 

collision intractibility e87-203, 
e90-326, c90-285, c97-470, 
C96-201, C92-433, c94-40 

- FFT-Hash e92-35, e92-45, 
C92-587 

collision search e89-429, c89-408, 
C96-229 

COMSEC device security 

C81-124 

computation with encrypted 
inputs (see also instance 
hiding, locally random 
reductions, and random 
self-reducibility) c85-477, 
C87-40, C87-73, c87-87, c88-336, 
C91-377, C91-392, c91-420 

computer and network security 
C81-130, e82-219 

computer viruses c86-459, c88-354, 
C89-616 

conference key distribution 

C87-175, e88-ll, c88-520, c89- 
324, e92-437, e92-449, e93-440, 
e94-275 

confusion c84-314 

constrained linear equations 

C94-164 



continued fractions e88-191, 
e89-571, e90-313 
contracts (see fair exchange) 
correlation attack e87-25, e88-301, 
e89-586, e90-204, e90-214, e91- 
176, e92-113, e92-472, e94-230, 
e95-248, c97-499 
correlation immunity (see 
also boolean function non- 
linearity) c85-260, c85-260, 
e86-42, e86-43, e89-549, e90-124, 
C91-86, e93-181, e96-283, c96-372, 
e97-422 

covert channels (see subliminal 
channels) 

cryptanalysis (see also differ- 
ential cryptanalysis, linear 
cryptanalysis, correlation 
attacks, timing attacks, and 
differential fault analysis) 
e82-31, e82-49, c84-339, e86-21, 
e86-27, e89-395, c94-294, c94-318 
cryptographic coprocessors 
C87-257, e90-230 

cut and choose e87-227, e89-294 
cyclotomic fields c85-396 

databases and storage c81-80, 
C83-157, C83-231, e86-50, e88-167, 
C92-89 

data compression c83-209, e91-266 

~ Ziv-Lempel complexity e91-114 
data-dependent rotations c81-42 
Data Encryption Standard 
(DES) C81-39, C82-89, c83-171, 
C85-192, C89-428, c90-530, 
C97-513 

- DESX C96-252 

- differential cryptanalysis c92-487, 
c90-2, C92-497, c93-212 

- cryptanalysis e82-235, c82-97, 
c90-2, C92-487, c92-497, e93-386, 
C93-212, e94-461, c94-l, c94-17, 
e95-24 
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- cycle structure e82-263, c82-99, 
C82-129, e85-81, c85-212, c85-282, 
C85-535, e86-16, c86-9, c87-243, 
C87-255, e89-429, e92-99, c92-512 

- exhaustive search e86-17 

- hardware implementations 
C84-115, C84-144, c84-147, e87- 
287, e87-301, c87-257, c91-367, 
C92-521, C92-575 

- key schedule c82-311, c84-359, 
C85-537, e93-398 

- linear cryptanalysis c94-l, 
e93-386, c94-26 

- linearity c84-377, e87-249 

- propagation characteristics 
e84-62, C84-359, c84-468, e89-696 

- pseudo-random permutations 
C91-301 

- S-box design (see also avalanche 
criterion) e82-257, c84-359, 
C85-280, e86-20, e87-25, c85-523, 
c86-3, C87-438, c89-612, c90-564, 
e94-366 

~ triple DES e90-318, c96-237 

- weak keys c81-41, c82-89, c82-97, 
e86-16, c86-9, e94-419 

Davies-Price message authenti- 
cation scheme c85-14 
deniable encryption c97-90 
designated confirmer signatures 
C89-253, e94-86, c94-61 
Dickson scheme e85-50 
difference sets e90-151 
differential cryptanalysis e91-17, 
e94-356, e94-366, c94-17, e95-13, 
C96-216, e97-l 

- authentication codes c93-200 

- characteristics e93-360 

- DES C92-487, c90-2, c92-497, 
C93-212 

- FEAL e91-l 

- Khafre c91-156 

- LOKI C91-156 

- Lucifer c91-156, c93-187 



- MD5 e92-71 

- N-hash e91-l 

- RC5 C95-171, C96-216 

- REDOC-II C91-156 

- Snefru c91-156 

- provable security against c92-566, 
e93-55, C93-403, c94-383, e94-356, 
e94-376 

differential fault analysis (see 
also tamper resistance) 

C97-513, e97-37 

Diffie-Hellman (see also bit 
security) c83-359, e89-29, c89- 
344, e89-597, c90-268, c94-308, 
e96-332, c97-75, c97-249, c97-264, 
e97-62, e97-256 

- batch operation e92-208 

- bit security e85-62, c96-129 

- relation to discrete logarithms 
C88-530, C94-271, c96-268, 
C96-283 

- timing attacks c96-104 

- short exponent attacks e96-332 

diffusion c84-314, e89-696, c85-282, 

e90-389 

digital signatures c81-65, c82- 
211, C83-377, C97-165, c97-180, 
e96-399 

- constructions c84-47, c84-54, 
C84-66, C84-467, c87-369, c89-218, 
C89-239, c93-l 

- existentially computationally 
unforgeable c94-234 

- forgery e90-441 

- interactive protocols c95-297 

- legal requirements e89-273 

- message recovery e94-182 

- online/offline signatures c89-263 

- reductions c83-137, c88-200, 
e89-16, C94-75 

- unconditionally secure c90-206 

Digital Signature Algorithm 
(DSA) see Digital Signature 
Standard 
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Decimal, Shift, and Add 
algorithm (DSA) e86-3 
Digital Signature Standard 

(DSS) C97-264, c97-277, e96-354, 
e94-77, e94-182 

- attacks c92-76, c96-83 

“ variations e94-77 

- threshold signatures c95-397 

- timing attacks c96-104 
dining cryptographers (see 

anonymity) 

discrete logarithms c81-142, 
c84-3, c82-3, c82-15, c83-253, 
e84-224, c84-73, c90-109, c90-616, 
e91-281, e91-399, e92-420, e95- 
341, C97-249, c97-264, e97-62, 
e97-256, e96-332 

- class groups c90-134, c94-56 

- Coppersmith algorithm c84-73, 
C92-312 

~ elliptic curves c86-84 

- ElGamal algorithm c84-10, 
C85-396 

~ in GF(p2) C83-275 

- special exponents c90-639, 
e92-454 

- modulo a composite e90-481 

- number field sieve c93-159, e95-95 

- proof of knowledge c86-200, 
C88-57 

- subexponential algorithms 
C93-147 

distance bounding e93-344 
divertibility e90-l 
dynamic passwords (see 
also password security, 
identification) e87-171 

edit distance c97-499 
education c89-628, c92-371 
efficient algorithms 

- GF(2'=) e97-363 

election schemes e88-177, e89- 
134, e89-617, c91-405, e93-248, 
C94-411, e95-393, e97-103, e96-72 



electronic cash (see also blind 
signatures and wallets) 

C91-338, C92-106, e94-156 

- anonymous cash c82-199, e88- 
107, C88-319, C89-481, c96-45, 
e95-121 

- divisible cash c9 1-324, e94-306, 
C95-438 

- double spending c93-292 

- off-line e93-318, c93-302 

- on-line e89-288 

- payment systems c82-187, 
C88-328, e89-294, e95-121 

- transferability e92-390 
ElGamal signature scheme 

C84-10, C97-249, c97-264, e97-119, 
e96-10, e96-387, c91-445 

- cryptanalysis c96-89 

- verifiable secret sharing c90-253, 
e95-50, e95-168 

electronic funds transfer (EFT) 
(see banking networks) 
electronic mail c81-64, c81-83, 
e85-43, e89-237, e89-249, e89-355, 
C92-139 

elliptic curve cryptosystem 

C85-417, C86-84, e91-316, e96- 
49, C97-235, c97-342, c97-357, 
e97-363 

- GM-curves c91-279 

- counting points e91-328, e95-79, 
e97-379, e95-79 

- efficient algorithms e89-706, c89- 
186, C90-156, e92-163, e92-482, 
C92-333, C92-345, c94-50, c95-43, 
e97-379 

- modulo a composite c91-252, 
C92-54, e93-40 

engineering experience e85-191, 
c84-3, e89-243 
Enigma e82-65, c89-2 
entropy e86-28, c87-438, e97-193 
ESIGN e91-446 

Euler totient function e88-267 
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exhaustive search c81-2, c81-7, 
e86-17, e88-361, c88-132, c96-229, 
C96-252, C92-575 

exponentiation e92-200, e92-477, 
C92-345, e93-274, c94-95, e96-166 

- addition chains c89-400, e90-222, 
e92-174, e94-389 

- in GF(2”) C86-277, c86-302, 
e88-251 

- nonlinearity e89-80 
exponential sums c96-31 
export issues c81-135 

factoring c83-71, c83-81, c83-87, 
C84-114, e85-31, e89-355, e91-281, 
e92-429 

- class group algorithm e82-325 

- elliptic curve algorithm c85-409, 
e92-183 

- Morrison-Brillhart algorithm 
e82-331 

- number field sieve c95-372 

- quadratic sieve c83-103, e84-169, 
e84-183, e88-235, e90-72, c92-324, 
C93-166, e93-28, e94-400 

- Schroeppel algorithm e82-331 
fail-stop signatures e92-366, 

C92-15, C93-250, e97-480 
fair cryptosystems c92-113, 
C95-208 

fair exchange c81-148, c82-205, 
C83-133, C83-377, c84-434, 
e89-150, e93-200, e95-220 
FEAL e87-267, c87-434, e88-293, 
C89-624, C90-22, c90-627, e91-l, 
C91-172, e92-81, e94-341, c94-12, 
C94-369 

Feistel cipher e96-307 
FFT-Hash c92-587 
Fiat-Shamir protocol c86-186, 
C87-21, e88-87, c88-232, c88-244, 
e89-173, e90-432, e90-446, c90- 
169, C90-456, e92-488, e97-37, 
C92-139, C94-202 

- security c96-143, e89-122 



filter generators e96-268 
finite state machines e87-65 
fingerprinting c85-180, c95-452, 
e97-88, e96-84 
formal coding e82-235 
formal verification (see protocol 
analysis) 

forward secrecy e97-62 
function composition e88-3, 
e89-23 

Gabidulin cryptosystem e96-212 
GCHQ e97-134 
generic algorithms e92-420, 
e97-256 

Goldwasser-Micali-Rivest 
signature scheme c86-104 
GOST C96-237, e94-433 
graph isomorphism c92-390 
group factorizations e93-50, 
C97-198 

group signatures c87-120, e89- 
56, e91-257, c91-457, e94-171, 
e94-194, e95-39, e97-465, c97-410 

Guillou-Quisquater iden- 
tification scheme (see 
identification) 

hard core bits e95-356 
hard core predicate c97-l 
hash functions c89-416, c89-428, 
e90-412, C97-485, e94-410 

- block ciphers c83-203, e89-102, 
C89-428, e92-55, c93-379 

- constructions e87-217, e91-508, 
e93-286, c93-331, c93-368, 
C93-379, C94-40, c94-129, e95-301 

heat equation c87-306 
Herlestam, Tore e87-3 
hidden field equations e96-33, 
C96-45 

history c81-84, c81-110, c81-154, 
e82-l, e82-31, e82-65, c84-339, 
e85-3, e85-18, e87-3, e89-2, 
e89-649, e93-142 
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HMAC c95-l, c96-l 

homophonic coding e88-405, 
e89-382 

homomorphic functions e87-117 

hyperelliptic curve c88-94, 
e91-337, C91-267 

IDEA block cipher e90-389, 
e93-371, e93-453, c93-224, e95-24, 
C96-237, e97-l 

identification schemes e82-283, 
e84-387, c87-211, e90-493, 
e91-409, C92-31, e93-260, c93-232 

- constructions e89-173, c93-13, 
C94-164 

- Guillou-Quisquater identification 
scheme e88-123, c88-216, e89-16, 
C92-31, C94-202 

- interactive identification e82-289, 
C86-186, e88-35, e88-77, c89-498, 
e90-63, C90-169, e92-461, c94-202, 
e96-344, e95-319 

- Okamoto identification scheme 
e88-281 

identity-based cryptosystems 

C84-47, C86-111, c87-203, c87-340, 
C87-429, e88-ll, e90-16, e90-481, 
e91-498, C94-83 

- key exchange c87-194, c88-583, 
e89-29, e92-458, c91-288 

- conference key distribution 
C87-175 

incremental hashing c94-216, 
e97-163, e97-393 

information-theoretic security 
(see also key exchange, 
perfect secrecy, and security 
models) c83-303, e86-28, e86-29, 
e86-49 

instance generators c88-297 

instance hiding (see also 

computation with encrypted 
inputs, locally random 
reductions, and random 



self-reducibility) c90-62, 
C90-326 

interconnection networks e9 1-302 
intractible problems in number 
theory c88-77 

irreducibility testing e82-165 
ISDN c87-9 

ISO 9796 digital signature 
standard e90-465 
isomorphism of polynomials 

e96-33 



Kerberos (see also Needham- 
Schroeder) c89-35, e91-399 

- cryptanalysis c96-89 

key distribution c82-231, c87-185, 
e89-75, e89-436, c89-344, c90- 
268, C90-274, e93-461, c93-444, 
e94-320, e96-321, c96-387 
key equivocation e84-51, c85-489, 
C87-461, e88-375 
key escrow c95-222, e97-119, 
e97-134, C92-113 

- Clipper C92-113, c93-456, c95-185, 
C95-222 

- software systems e95-147, 
e96-237, c96-89 

- warrant bounds c95-197 

key exchange c83-137, c83-359, 
C84-434, e88-159, e89-29, e89-597, 
C89-335, C89-604, e90-ll, e90-98, 
C91-44, C91-242, c92-461, c92-471, 
e93-410, C93-456, e94-299, c97-75, 
C97-292 

- authentication e89-38, e89-665, 
C93-232 

- function composition c81-140, 
e88-3 

- information-theoretically secure 
e97-209 

- multiparty c91-141 

“ one-way functions e89-56 

key freshness and lifetime 

C85-246, e90-16 
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key generation e84-317, e84-335, 
e89-110, C97-425, c92-66, c92-358 
key recovery (see key escrow) 
key schedule c85-537, e93-398, 
C96-237 

kleptography c97-264, e97-62 
Khafre c90-476, c91-156 
Khufu C90-476, c94-359 
knapsack cryptosystems c81-16, 
C81-17, e82-289, e82-309, e82-316, 
C82-279, C82-289, c82-303, c83-3, 
C83-25, C83-39, c84-54, c84-342, 
e87-109, e88-97, c89-416, e91-39, 
e93-305, c93-13, e94-112, c97-105, 
C97-112, C97-198, c97-221 

- modular knapsacks c81-20, 
e90-405, C91-204 

- polynomial knapsacks e85-73 
Kryha machine e82-49 

Lamport signature scheme 
C89-218, c92-l, c94-75 
Lanczos algorithm e95-106 
lattice reduction (see also 

knapsack cryptosystems) e87- 
109, e88-281, c97-105, c97-112, 
C97-198, C97-221, c97-385, e97-52, 
e97-163 

- Chor-Rivest scheme e95-l 

- LLL algorithm c82-303, c83-39, 
C84-54, C84-342, c85-104, e90-313, 
e91-54, e91-281, e94-58 

- simultaneous diophantine 
approximation c83-3, e89-47 

learning problems c93-278 
Lim-Lee cryptosystem c95-287 
linear cryptanalysis (see also 
Data Encryption Standard 
linearity and boolean 
function non-linearity) e87- 
249, e94-341, e94-356, e94-366, 
C94-12, C94-17, c94-26, c95-157, 
e96-224, e97-l 

- DES c94-l, e93-386, c94-26 

- piling-up lemma e95-24 



- RC5 C95-171 

- provable security against e94-439 
linear complexity (see also 

Berlekamp-Massey algo- 
rithm) e84-99, e85-119, e85-156, 
e85-161, C85-260, e86-30, e86-33, 
e86-34, e86-35, c86-405, e87-15, 
e87-37, e87-53, e88-191, e89-523, 
e89-533, e89-563, e89-571, 
e89-691, C89-82, c89-90, e90-174, 
e90-189, e91-168, e92-138, e93- 
151, C93-22, e94-205, e94-223, 
C94-332, C96-358 

- de Bruijn sequences e87-5, 
C88-479, e89-544, e90-196, 
e95-263 

- random sequences e85-167 
linear congruential generator 

C82-317, e86-23, c89-138, c97-277 
linear consistency c89-164 
linear syndrome attack c88-469, 
C90-34 

local area networks c81-73, 
e82-219, C82-251, e84-349, e85- 
214, e85-221, c86-451, e87-301, 
C88-507, e89-38, e89-249, c89-30, 
C89-64, C89-356 
local randomness e92-408 
locally random reductions (see 
instance hiding) 

LOKI e93-398, e94-419 
Luby-Rackoff block cipher 
e92-239, e96-307 
Lucas sequences c95-386 
Lucifer block cipher e93-398, 
C93-187 

MD4 hash function e90-492, 
C90-303, C91-194, e93-293, 
C96-298 

MD5 hash function e92-71, 
C96-298 

magic ink signatures e97-450 
man in the middle attack e97-75 
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manipulation detection code 
(MDC) C86-327, e88-97 
Markov chains e95-13 
Markov ciphers e91-17, e93-453 
matrix cover problem c82-21 
Matsumoto-Imai public key 
scheme e84-142, c87-185, 
e88-419, e95-382, c95-248 
maximum order complexity 
e91-153 

McEliece cryptosystem c81-25, 
e87-143, C87-224, e88-275, c88- 
119, e89-657, e91-68, e91-482, 
e91-517, C97-213, e96-212 
medical records e82-228, e84-416, 
e89-662 

meet in the middle attacks 

C83-209, e85-81, c85-192, c91-183, 
C96-229 

Merkle-Hellman cryptosystem 
(see knapsack cryptosystems) 
message authentication code 
(MAC) C84-393, e86-7, e89-93, 
C89-154, e97-149, e97-393, e96-19, 
c96-l, C96-313 

- CBC-MAC C94-341 

- differential attacks c93-200 

- hash functions e95-301, c95-l, 
c96-l 

- XOR MACS C95-15 

- bucket hashing c95-29 

Meyer-Matyas hash function 

e90-326 

MIX-networks (see anonymity) 
modular arithmetic c82-51, 
e86-15, e87-217, e88-245, c89- 
371, C89-387, e90-496, c90-601, 
C90-619, C91-313, c93-175, 
e96-166 

- Montgomery multiplication 
e90-230, e92-477, e92-488, 
C96-104 

modular polynomial relations 

C97-16 



multi-level security c82-237, 
e86-50 

multi-party computation c82- 
167, C87-135, C87-462, e89-208, 
C89-560, C89-589, c89-591, c90-62, 
C90-77, C93-266, c94-397, c94-425, 
e95-168, C95-110 
multiple encryption c85-212, 
e89-636 

multiplexed sequences e82-189 
MTI protocol c97-264 

NMAC c96-l 

Needham- Schroeder model 

C93-456, e96-321 

noisy channels e82-165, e97-306 
non-linearity order (see boolean 
functions) e89-80, e90-161, 
e92-92, C96-372 

non-malleability c97-46, e94-92 
notary c82-259 

number field sieve c92-66, c95-372 

Okamoto identification scheme 
(see identification) 

Okamoto- Shiraishi signature 
scheme c85-28 

oblivious transfer c82-205, c83- 
147, e84-379, c84-439, c87-350, 
c88-2, e89-150, c89-547, c89-604, 
e90-31, e90-46, c90-77, e91-106, 
C91-351, e92-285, c95-97, c95-110, 
e96-119, e97-306, e97-334 
old jokes (see recursion) 
one time pad c82-39 
one-way accumulators e93-274 
one-way functions c88-578, 

C89-604, C90-285, e92-408, c94-75, 
c97-l, C97-385 

- bit security c96-114 

- circuits c91-232 

- key distribution e89-56 

- permutations c88-8, c92-421 
one way group actions c90-94 
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Ong-Schnorr signature scheme 
C83-117, C84-37, e90-432 
Ong-Schnorr-Shamir signature 
scheme c85-3, c92-139, e93-233 
optimal asymmetric encryption 
e94-92 

orthogonal arrays c91-62, c94-247 
orthogonal groups e82-71, c84-95 
orthogonal latin squares e94-47 

passports c87-21, e88-183 
password security (see also 
dynamic passwords) c81-81, 
e82-283, c87-392, c89-44 
perceptrons e95-319 
perfect secrecy c82-39, e87-237, 
e89-497, e90-361 
permutation group cryp- 
tosystems (PGM) c89-447, 
C94-108 

permutation polynomials c83-293 
permuted kernel problem 
C89-606, C92-305, c93-391 
personal computers e85-231 
physical access control c85-543 
ping-pong protocols c82-177, 
C82-315, C85-58 

plug and play encryption c97-75 
poker C84-439, c84-454, c85-73, c85- 
104, C86-234, c86-239, e90-374, 
C93-319 

polyalphabetic ciphers e82-31, 
e82-49 

polynomial substitution c85-340, 
e86-51 

polynomial time e92-297 
primality testing c81-10, e84-216, 
C86-443, e88-211, e89-626, 
e89-636, e89-652, e90-110, c90- 
625, e91-328, e91-512, c92-358, 
C94-282 

- of polynomials e82-207 
privacy amplification c85-468, 
C97-307, e97-334, e94-266 



proactive security e92-307, 
C95-339, C97-440 

probabilistic encryption c82-145, 
C84-289, C86-381, e88-415 
program checking c90-515 
propagation criterion e90-161, 
e91-141 

protocol analysis c81-71, c85-87, 
e85-254, e86-48, c87-167, c87-289, 
e91-387, C91-24, c91-44, e94-320 
pseudo-exponentiation e90-344 
pseudo-random number genera- 
tor (see also alternating step 
generator, stream ciphers) 
c81-l, C82-61, C84-193, c84-303, 
e85-149, C85-433, e87-15, e87-77, 
e88-225, c88-146, c88-173, e89- 
423, e91-431, c97-46, c97-277, 
e96-245, c91-300 

- hardware constructions c84-203 

- shrinking generator e94-205, 
C93-22 

pseudo-randomness c89-100, 
C89-113, C90-421, c94-114 

- integrity check c93-40 

- Legendre and Jacobi sequences 
C88-163 

- pseudo-random functions 
C84-276, C89-461, c95-185, c97-46 

- pseudo-random permutations 
C84-269, C85-447, e89-412, e90- 
140, C91-301, e92-239, e92-256, 
e92-267 

- tests c90-394, c90-409 

public key cryptosystem (see 
also RSA, Chor-Rivest, 
Matsumoto-Imai, knapsack 
cryptosystems, probabilistic 
encryption) c90-576, e94-92, 
C95-236, e97-27 

- constructions c82-21, e84-16, 
e84-150, C84-10, c84-19, c84-66, 
C85-128, e87-143, e87-3, e89-3, 
e89-23, e89-47, c91-445, e94-445. 
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e95-329, e96-33, e96-49, e96-60, 
C96-45 

- small key lengths e92-163 
public randomness e90-46, 

C92-421, C92-461 

quadratic fields c83-275, c84-37, 
c85-3, e89-597, c89-335, e90-98, 
e90-432, c94-56 

quadratic residuosity c86-213, 
C86-234, C90-339, c93-61, e95-367, 
e96-131 

quadratic span (see also linear 
complexity) c89-82 
quantum cryptography c82-267, 
C84-475, e94-468, c95-424, 
C97-337 

- bit commitment c90-49 

- experiments e90-253, c96-329 

- key distribution c96-343 

- oblivious transfer c9 1-351, 
e95-133, C95-124 

Quisquater-Girault hash 
function e90-326 

RC4 e97-226 
RC5 C95-171, C96-216 
RIPEMD C96-298 
RSA (see also bit security) e82- 
325, C97-132, c97-221, c97-372, 
C97-425, C97-440, e97-37, e96-399 

- and semigroups e82-353 

- approximate L-th roots c88-100 

- authentication c89-154 

- batch operation c89-175 

- equivalence to factoring c85-358 

- hardware designs c81-83, c82- 
327, e84-159, c85-350, c86-277, 
C86-311, C86-480, e87-95, c87- 
257, e88-257, e89-219, c89-368, 
e90-245, e92-221 

- key generation e84-216, e91-294 

- low exponent attacks c85-403, 
e86-55, e89-372, e96-l, e96-155, 
e96-178 



- redundancy attacks c85-18 

- shared key construction c97-425 

- signature forgery e90-83, e92-378, 
e97-495, e96-l 

- threshold signatures e88-455, 
C89-253, C93-413, e94-194, 
C96-157 

- timing attacks (see also tamper 
resistance) c96-104 

- variations c82-211, c83-293, 
C86-49, C86-118, e87-203, e88-455, 
e89-617, C90-140, c92-l, c94-234, 
C96-173 

random permutations e82-71 
random functions c83-43, c87- 
231, C87-243, e89-329, e91-542, 
e91-552 

random oracle model c97-455, 
e96-387 

random self-reducibility (see 
also computation with 
encrypted inputs, instance 
hiding, and locally random 
reductions) e89-134 
Rao-Nam scheme c87-445, c87-458 
REDOC-II C90-545 
recursion (see old jokes) 
redundancy c97-221, e97-495 
related key attack e93-398, 
C96-237 

related message attack c97-213 
relativized cryptosystem c81-54 
release of secrets c87-156 
replay attack c97-213 
replicated data c87-379 
resilient functions c94-247, 
e95-274, e96-283, e97-422 
rights management e93-260 
Rip van Winkle cipher c86-393 
RIPE e89-267 
rotor machines e89-395 

SAFER e95-24, c95-274, c96-237 

satellite communications e84-426 
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Schnorr pseudo-random number 
generator e89-423 
Schnorr signature scheme 

e89-688, c89-239, e91-71, e93-435, 
C97-264, e97-37, c92-31, c94-202, 
e95-64 

secret sharing (see also visual 
cryptography) e82-371, c82- 
321, C84-231, C84-481, c88-390, 
e89-436, c89-299, c90-216, c92- 
558, e93-126, e93-448, e96-107, 
e96-200 

- access structures c88-27, e92-l, 
C95-367 

- cheaters c86-261, c88-564 

- dynamic schemes c84-481, 
C93-110 

- homomorphic schemes c86-251, 
C92-549 

- ideal secret sharing e89-468, 
C89-278, C92-183 

- information rate c86-266, c90- 
242, C91-101, C92-148, c92-168, 
e93-118, C93-136, e94-13, e95-194 

- multi-secret schemes c93-126, 
C94-150 

- perfect secret sharing e94-23 

- proactive c95-339 

“ public reconstruction c95-353 

- ramp schemes c84-242 

- randomness e94-35 

- shadow schemes e89-491 

- threshold schemes c81-82, e86-46, 
e86-47, C87-330, e88-389, c89-286, 
e92-25, C95-410 

- trusted third parties e90-266, 
e95-183 

- verifiable secret sharing c86-251, 
C91-114, C91-129, e95-50, e96-96, 
e96-190 

- zero knowledge c93-73 
secret key certificates e95-231 
Secure Hash Algorithm (SHA) 

C96-298, e97-348 



security models (complexity 
vs. information-theoretic 
security) c81-54, e84-3, e85-3, 
C88-249 

self-certified public keys e91-490 
semantic security c97-46, e94-92 
semigroups e82-353 
server-aided computations 

C88-497, e92-153, e95-64, c95-57, 
C95-70 

SETUP attacks c96-89, c97-264 
Shannon’s theory c87-461, e90-361 
shrinking generator e94-205 
shuffle-permutation networks 
C85-523, C92-260 
signcryption c97-165 
singular cubic curves e95-329 
smart cards c81-109, c82-219, e84- 
446, e84-457, e84-459, e84-464, 
e84-470, e84-480, e85-200, e86-8, 
e86-10, C86-464, e87-177, e88-77, 
e88-87, C90-502, e91-446, e94-445, 
e95-404, e96-321 
- digital signatures c88-484, 
e9 1-446 

smart diskette c89-74 
Snefru c90-476, c91-156 
software primitives c90-476, 
C96-298, e97-348 
software libraries e90-230 
software protection c81-79, e84- 
446, C85-140, c85-158, c86-426, 
C89-610, e90-474 
space filling curves c87-398, 
e89-403 

sparse linear systems c90-109 
speech scrambling e82-130, e82- 
147, e82-157, e82-173, e84-399, 
C84-83, e91-422 
spread spectrum e85-273 
square root extraction e86-15 
standards c81-39, e86-14, c87-3, 
C87-223, e89-267, c89-620, 
e91-547 
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stream signatures c97-180 
stream ciphers (see also cascade 
ciphers) c81-121, e82-181, 
C82-133, e87-53, e87-237, e88- 
317, e88-325, e96-256, e97-226, 
e97-239, c97-499 

- active attacks e86-4 

- binary sequence generators 
e82-189, e91-160, e91-200 

- clock-controlled generator c82- 
323, e84-74, e84-93, e85-142, 
e87-53, e88-331, e89-680, e90- 
487, C95-148, c97-499, e94-230, 
e94-450 

- cryptanalysis c95-262 

- divide and conquer attacks 
C85-273 

- feedback shift registers e82-207, 
C82-323, C83-249, e85-35, e85-40, 
e85-130, e85-135, e86-38, e89-503, 
e89-670, e92-124, e94-215 

- hardware constructions c84-203, 
e87-77, e87-83 

- iterative error correction e9 1-527 

- m-sequences e88-351 

- ML-sequences e85-103 

- public key e86-53 

- stop and go generator e84-88 

- summation generator c85-260 

- synchronization c84-174, e89-110, 
e91-458, e93-159, e93-168 

strong primes e84-216 
subset sum problem e97-163 
subliminal channels c83-51, 
C84-101, C85-33, c87-21, e88-23, 
C88-375, c89-6, e97-62 

- digital signatures e84-364, 
e93-218 

surveillance systems e84-437 
symmetric encryption c82-139, 
e85-96, C85-227, c97-292 

- polynomials over finite fields 
e84-10 

TCP C85-108 



tamper resistance (see also tim- 
ing attacks and differential 
fault analysis) c83-387, c86-lll, 
e87-83, C87-203, c87-216, c92-89, 
C93-456, C97-513 

threshold cryptosystems e88-455, 
e89-56, C89-307, e89-617, e90- 
352, e91-522, e96-107, e96-354, 
e97-465 

- disenrollment c92-540 

- signature schemes c96-74 

- RSA C96-157 

time stamping c90-437, e93-274 
timing attacks (see also tamper 
resistance) c96-104 
Toeplitz matrices e95-301 
tracing traitors c94-257 
traffic analysis e85-245 
trapdoors e82-316, c92-66, c92-442, 
e92-194 

trapdoor commitments e96-143 
trapdoor rings c85-369 
treaty verification c81-138 
triple DES (see DES) 

unconditional security c97-292, 
C85-42 

undeniable signatures c89-212, 
e90-458, c90-189, e91-205, e91- 
221, e91-243, e91-554, c91-470, 
e96-372, c97-132 

- cryptanalysis c96-74 

- blackmail e94-425 

universal one-way hash function 
(see also authentication 
codes) c82-79, e90-412, c90-285, 
e91-431, e92-408, c94-129, 
e95-311, e95-356, c95-29, c96-16, 
C96-31, C96-313, c97-470, e97-149 

video scrambling c87-398, e89-403 
visual cryptography e94-l, 
C96-401, C97-322 

voting schemes (see election 
schemes) 
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wallets c83-383, c92-89, e93-329, 
C93-302 

Walsh transform (see also 
correlation immunity) e85- 
103, e86-43, c87-243, c88-450, 
e89-80, e90-161, e91-141 

weak keys 

- RC5 C96-216 

- DES C81-41, C82-89, c82-97, 
e86-16, c86-9, e94-419 

- IDEA C93-224 

wiretap channel c82-145, e84-33, 
e97-306 

write-once memories e85-lll, 
C85-458 

word problem c84-19 



zero knowledge c88-37, e89-181, 
C89-628, C90-456, c92-390, 
C95-325, C97-46, c96-201 

- all-or-nothing disclosure c86-234, 
C89-573 

- Arthur-Merlin games c88-580 

- bit commitment c89-17, c90-94 

- boolean circuits c86-223, c89-507 

- computational zero knowledge 
e92-356, c97-31, c97-46, e97-280 

- designated verifier proofs e96-143 

- discrete logarithms e87-127, 
C86-200, C88-57 

- divertible proofs e89-134, e90-l, 
e94-140 

- interactive hashing e93-267, 
C93-100 

- interactive proofs (see also 
identification) e87-3, c87-128, 
C88-71, C88-284, e89-122, c89- 
526, C89-545, c90-303, c90-313, 
C90-339, C90-378, e91-81, e91-96, 
C93-61, C94-174, c97-46, e97-318, 
e96-131 

- key distribution c89-344 

- medical records e89-662 



- multi-prover c89-498, c90-366, 
e91-221, C91-213, c92-215 

- non-interactive proofs c86-213, 
C87-52, C88-269, c89-194, c89-547, 
C90-353, C91-433, e92-341, c92- 
228, C92-442, c93-85, e95-413, 
C97-46 

- NP C86-171 

- predicates c86-195 

- oblivious proofs c96-186 

- parallel proofs c92-246, e94-140 

- perfect zero knowledge e89-192, 
C92-196, C93-73, e95-367, c95-311, 
C97-46 

- practicality e89-155 

- proof of computational ability 
e89-196 

- proof of knowledge e94-140 

- proof of primitivity e89-150 

- space-bounded c9 1-225 

- statistical zero knowledge c97-16, 
C97-31 

- protocols c97-46 




